Any user can call the setPoolActive and change poolActive flag but should not be allowed. So any user can call the setPoolActive and change poolActive flag.
Vulnerability Detail
The setPoolActive function is not protected but 'msg.sender' must be a pool manager to close the pool.
Impact
Any user can call the setPoolActive and change poolActive flag. This can temporary broke the contract functionality.
pontifex
medium
RFPSimpleStrategy:
setPoolActiveis not protectedAny user can call the
setPoolActiveand changepoolActiveflag but should not be allowed. So any user can call thesetPoolActiveand changepoolActiveflag.Vulnerability Detail
The
setPoolActivefunction is not protected but 'msg.sender' must be a pool manager to close the pool.Impact
Any user can call the
setPoolActiveand changepoolActiveflag. This can temporary broke the contract functionality.Code Snippet
https://github.com/sherlock-audit/2023-09-Gitcoin/blob/6430c8004017e96ae2f5aac365bdefd0b6eeea72/allo-v2/contracts/strategies/rfp-simple/RFPSimpleStrategy.sol#L216-L222
Tool used
Manual Review
Recommendation
Consider adding a corresponding modifier.