sherlock-admin
commented
11 months ago 1 comment(s) were left on this issue during the judging contest.
n33k commented:
invalid
Closed sherlock-admin closed 11 months ago
sherlock-admin
commented
11 months ago 1 comment(s) were left on this issue during the judging contest.
n33k commented:
invalid
jah
high
steal fund
in QVBaseStrategy when distributing any one can change the recipientAddress by calling allo.registerRecipient which will help us to update the recipientAddress
Vulnerability Detail
when the distribute function is called a user can frontrune and call allo.registerRecipient and upadtes the recipientAddress to his addres to when _distribute transfer fund it will be transfer to his self
Impact
loss of fund
Code Snippet
https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/qv-base/QVBaseStrategy.sol#L456
Tool used
Manual Review
Recommendation
dont update the recipeitnaddress when the status is approved