sherlock-admin
commented
11 months ago 1 comment(s) were left on this issue during the judging contest.
n33k commented:
bypassing of fee is an acceptable risk
Closed sherlock-admin2 closed 11 months ago
sherlock-admin
commented
11 months ago 1 comment(s) were left on this issue during the judging contest.
n33k commented:
bypassing of fee is an acceptable risk
radevauditor
medium
Users can bypass the required fees during pool funding even in cloneable strategies
Users can bypass the required fees during pool funding even in cloneable strategies. Also when the pool is funded directly the
pool Amountis not increased.Vulnerability Detail
Users can directly transfer using ERC20 tokens or directly transfer NATIVE currency using
selfdestructto the strategy. This would result in users funding pools without paying any fees to the treasury.Impact
Stuck of funds in the protocol, because the
poolAmountis not increased during direct transfer leading to not properly distribution process.Code Snippet
https://github.com/sherlock-audit/2023-09-Gitcoin/blob/6430c8004017e96ae2f5aac365bdefd0b6eeea72/allo-v2/contracts/core/Allo.sol#L1
Tool used
Manual review
Recommendation
Implement logic to stop direct transfers or if you keeps the allowance of direct transfers implement logic that increase the
poolAmountwhen direct transfer is done.