The allocate() function does not have any access control, meaning that anyone can call it to change the pool strategy for any pool. This is a vulnerability because it allows unauthorized users to perform sensitive operations on the pool.
Impact
This issue could allow an attacker to change the pool strategy to a malicious one, which could then steal funds from the pool or perform other unauthorized actions.
Add access control to the allocate() function to ensure that only authorized users can call it. This can be done by adding a require statement to the beginning of the function that checks whether the caller is an authorized user. For example:
It is important to consider who should be authorized to call the allocate() function. This will depend on the specific use case of the pool.
It is also important to implement access control in a secure manner.
darkart
medium
Lack of Access Control in
Allocate Function
in the
function allocate()
is missing access control
Vulnerability Detail
The
allocate() function
does not have any access control, meaning that anyone can call it to change the pool strategy for any pool. This is a vulnerability because it allows unauthorized users to perform sensitive operations on the pool.Impact
This issue could allow an attacker to change the pool strategy to a malicious one, which could then steal funds from the pool or perform other unauthorized actions.
Code Snippet
https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/core/Allo.sol#L492-L494
Tool used
Manual Review
Recommendation
Add access control to the allocate() function to ensure that only authorized users can call it. This can be done by adding a require statement to the beginning of the function that checks whether the caller is an authorized user. For example:
It is important to consider who should be authorized to call the allocate() function. This will depend on the specific use case of the pool. It is also important to implement access control in a secure manner.