search

sherlock-audit / 2023-09-Gitcoin-judging

11 stars 7 forks source link

helpMePlease - `_allocate` won't work as intended #966

Closed sherlock-admin closed 11 months ago

sherlock-admin commented 11 months ago

helpMePlease

high

_allocate won't work as intended

The code contains a vulnerability where if a user sends even 1 wei more than the required amount, the function will revert.

Vulnerability Detail

There is a conditional statement that checks if the user is sending ether and the token is not the native token, or if the token is the native token and the value sent is not equal to the required amount. If either of these conditions is true, the function will revert.

// If the token is native, the amount must be equal to the value sent, otherwise it reverts
        if (msg.value > 0 && token != NATIVE || token == NATIVE && msg.value != amount) { //@audit it is very hard to send exact amount
            revert INVALID();
        }

Impact

This vulnerability means that even a slight deviation from the exact required amount, such as sending 1 wei more than required, will result in the function reverting. This could lead to inconvenience for users who unintentionally send a slightly higher amount.

Code Snippet

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/donation-voting-merkle-base/DonationVotingMerkleDistributionBaseStrategy.sol#L658

Tool used

Manual Review

Recommendation

Modify as follow and then refund the dust amount

// If the token is native, the amount must be equal to the value sent, otherwise it reverts
        if (msg.value > 0 && token != NATIVE || token == NATIVE && msg.value < amount) { 
            revert INVALID();
        }
sherlock-admin commented 11 months ago

1 comment(s) were left on this issue during the judging contest.

n33k commented:

invalid, easy to make them match