search

sherlock-audit / 2023-09-Gitcoin-judging

11 stars 7 forks source link

0xarno - funding of `QVSimpleStrategy.sol` is impossibe since it doesn't have `receive()` function for eth #957

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

0xarno

high

funding of QVSimpleStrategy.sol is impossibe since it doesn't have receive() function for eth

The QVSimpleStrategy.sol contract currently lacks a receive() function, which means it cannot receive funds directly. Funding for this strategy is typically done by calling the Allo.fundPool() function.in which underhood uses SafeTransferLib.safeTransferETH() if eth is chosen

Vulnerability Detail

Allo protocol, the typical way to fund a strategy is by using the Allo.fundPool() function. Users or smart contracts interact with the Allo contract to provide funds for a pool, and the Allo contract is responsible for distributing those funds to the associated strategy. the QVSimpleStrategy.sol contract cannot receive ether directly because Allo.fundPool() uses SafeTransferLib.safeTransferETH() to transfer eth

Impact

The absence of a receive() function in the QVSimpleStrategy.sol contract directly impact the functioning of the strategy , if someone attempts to send Ether using Allo.fundPool() to the QVSimpleStrategy.sol contract, the transaction will fail, and the funds will not be stored in strategy as intended. U.

Code Snippet

function _fundPool(uint256 _amount, uint256 _poolId, IStrategy _strategy) internal {
        uint256 feeAmount;
        uint256 amountAfterFee = _amount;

        Pool storage pool = pools[_poolId];
        address _token = pool.token;

        if (percentFee > 0) {
            feeAmount = (_amount * percentFee) / getFeeDenominator();
            amountAfterFee -= feeAmount;

            _transferAmountFrom(_token, TransferData({from: msg.sender, to: treasury, amount: feeAmount}));
        }

        _transferAmountFrom(_token, TransferData({from: msg.sender, to: address(_strategy), amount: amountAfterFee}));
        _strategy.increasePoolAmount(amountAfterFee);

        emit PoolFunded(_poolId, amountAfterFee, feeAmount);
    }

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/6430c8004017e96ae2f5aac365bdefd0b6eeea72/allo-v2/contracts/strategies/qv-simple/QVSimpleStrategy.sol#L23

Tool used

Manual Review

Recommendation

add receive() function

Duplicate of https://github.com/sherlock-audit/2023-09-Gitcoin-judging/issues/256

sherlock-admin commented 1 year ago

1 comment(s) were left on this issue during the judging contest.

n33k commented:

invalid,it has receive