search

sherlock-audit / 2023-09-Gitcoin-judging

11 stars 7 forks source link

darkart - Lack of Access Control in `Allocate Function` #955

Closed sherlock-admin2 closed 11 months ago

sherlock-admin2 commented 11 months ago

darkart

medium

Lack of Access Control in Allocate Function

in the function allocate() 

    function allocate(uint256 _poolId, bytes memory _data) external payable nonReentrant { 
        _allocate(_poolId, _data);
    }

is missing access control

Vulnerability Detail

The allocate() function does not have any access control, meaning that anyone can call it to change the pool strategy for any pool. This is a vulnerability because it allows unauthorized users to perform sensitive operations on the pool.

Impact

This issue could allow an attacker to change the pool strategy to a malicious one, which could then steal funds from the pool or perform other unauthorized actions.

Code Snippet

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/core/Allo.sol#L492-L494

Tool used

Manual Review

Recommendation

Add access control to the allocate() function to ensure that only authorized users can call it. This can be done by adding a require statement to the beginning of the function that checks whether the caller is an authorized user. For example:

function allocate(uint256 _poolId, bytes memory _data) external payable nonReentrant { 
+ if msg.sender != isPoolAdmin || msg.sender != _isPoolManager
   revert
        _allocate(_poolId, _data);
    }

It is important to consider who should be authorized to call the allocate() function. This will depend on the specific use case of the pool. It is also important to implement access control in a secure manner.

sherlock-admin commented 11 months ago

1 comment(s) were left on this issue during the judging contest.

n33k commented:

invalid, it's the expected behavior