in QVBaseStrategy when distributing any one can change the recipientAddress by calling allo.registerRecipient which will help us to update the recipientAddress
Vulnerability Detail
when the distribute function is called a user can frontrune and call allo.registerRecipient and upadtes the recipientAddress to his addres to when _distribute transfer fund it will be transfer to his self
jah
high
steal fund
in QVBaseStrategy when distributing any one can change the recipientAddress by calling allo.registerRecipient which will help us to update the recipientAddress
Vulnerability Detail
when the distribute function is called a user can frontrune and call allo.registerRecipient and upadtes the recipientAddress to his addres to when _distribute transfer fund it will be transfer to his self
Impact
loss of fund
Code Snippet
https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/qv-base/QVBaseStrategy.sol#L456
Tool used
Manual Review
Recommendation
dont update the recipeitnaddress when the status is approved