There is a possibility for a re-entrant call to recall an increase in pool amount multiple times
Vulnerability Detail
The details are as follows:
A malicious owner creates a profile with some members
A malicious owner create a pool with a new strategy using the createPoolWithCustomStrategy with malicious contracts posing as token and strategy contract, the malicious strategy contract must have similar features to the real contract
On the _fundAmount function being called in the create flow, it calls on the transferFrom from the token
Then it calls on the _strategy.increasePoolAmount, this will call the malicious contract which in turn send delegatecall to any real live strategy (this is to impersonate the Allo contract) and inflate the pool value to excessive amounts unchecked without the pool being able to redeem these values.
The malicious members can then allocate these funds to random strangers or compromised individuals.
These members or individuals can withdraw tokens
Impact
High Impact, which in best case scenario is loss of data and DOS, which could cause users or admin to switch pools. Worst case scenario loss of funds.
John_Femi
medium
Admin or Member Can Inflate Pool Amount
There is a possibility for a re-entrant call to recall an increase in pool amount multiple times
Vulnerability Detail
The details are as follows:
createPoolWithCustomStrategy
with malicious contracts posing as token and strategy contract, the malicious strategy contract must have similar features to the real contracttransferFrom
from the tokenImpact
High Impact, which in best case scenario is loss of data and DOS, which could cause users or admin to switch pools. Worst case scenario loss of funds.
Code Snippet
https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/core/Allo.sol#L144
Tool used
Manual Review
Recommendation
Move non-reentrant checks to internal functions instead and add checks in the increasePoolAmount