search

sherlock-audit / 2023-09-Gitcoin-judging

11 stars 7 forks source link

gkrastenov - Not cleaned votes to other recipient statuses #962

Closed sherlock-admin closed 11 months ago

sherlock-admin commented 11 months ago

gkrastenov

medium

Not cleaned votes to other recipient statuses

Not cleaned votes to other recipient statuses

Vulnerability Detail

When pool managers approve the status of a recipient, the votes for other statuses are not cleared. This leaves open the possibility for managers to continue voting for other statuses and potentially change the recipient's status in the future.

More than one status can be bigger than reviewThreshold and status of recipient can changed everyime. When recipientStatus is setted it should not be changed.

Impact

Wrongly setting of status.

Code Snippet

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/qv-base/QVBaseStrategy.sol#L273

 for (uint256 i; i < recipientLength;) {
            Status recipientStatus = _recipientStatuses[i];
            address recipientId = _recipientIds[i];

            // if the status is none or appealed then revert
            if (recipientStatus == Status.None || recipientStatus == Status.Appealed) {
                revert RECIPIENT_ERROR(recipientId);
            }

            reviewsByStatus[recipientId][recipientStatus]++;

            if (reviewsByStatus[recipientId][recipientStatus] >= reviewThreshold) {
                Recipient storage recipient = recipients[recipientId];
                recipient.recipientStatus = recipientStatus;

                emit RecipientStatusUpdated(recipientId, recipientStatus, address(0));
            }

            emit Reviewed(recipientId, recipientStatus, msg.sender);

            unchecked {
                ++i;
            }

Tool used

Manual Review

Recommendation

Clear votes of other statuses.

Duplicate of #699