foresthalberd - Voters can vote multiple times

[sherlock-admin]

foresthalberd

high

Voters can vote multiple times

The _qv_allocate function in QVBaseStrategy.sol, there is no logic to decrease the allocators voiceCredits which they are checked to have in the _allocate() function. This allows the voters to continue casting votes that they might not have by calling the function multiple times with their votes.

Vulnerability Detail

Voters can vote multiple times because their credits aren't updated.

        // update the values
        voteResult -= votesCastToRecipient;
        totalRecipientVotes += voteResult;
        _recipient.totalVotesReceived += voteResult;

        _allocator.voiceCreditsCastToRecipient[_recipientId] += totalCredits;
        _allocator.votesCastToRecipient[_recipientId] += voteResult;

        // emit the event with the vote results
        emit Allocated(_recipientId, voteResult, _sender);
    }

Impact

The logic for _qv_allocate updates the values voteResult, totalRecipientVotes, _recipient.totalVotesReceived but doesn't decrease the allocator.voteCredits, meaning the balance of the allocator's voice credits remains the same.

Code Snippet

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/strategies/qv-base/QVBaseStrategy.sol#L525

Tool used

Manual Review

Recommendation

Update the allocator.voiceCredits by decreasing it by the voiceCreditsToAllocate before _qv_allocate is called.

[sherlock-admin]

1 comment(s) were left on this issue during the judging contest.

n33k commented:

invalid, very close to #150, but there is logic error in the submition and the fix is misleading