🚧 Allo v2 is under active development. Learn more →
Strategies
Security Considerations

Security Considerations

Security Considerations

Reentrancy

Reentrancy attacks are a well known method of hacking smart contracts. \ The Quadratic Funding contract uses openzeppelin's ReentrancyGuard (opens in a new tab) to prevent such attacks

function vote(bytes[] calldata encodedVotes, address voterAddress) external override payable nonReentrant isRoundContract {

Encoding Data

Many functions in Allo require your information to be encoded. Your strategy contract will need to decode the information in the body. For example, allocate in QVSimpleStrategy.sol (opens in a new tab) uses an abi.decode method.

function _allocate(bytes memory _data, address _sender) internal virtual override {
        (address recipientId, uint256 voiceCreditsToAllocate) = abi.decode(_data, (address, uint256));

Checking the Token

There should be a check to ensure that any tokens being sent are valid. This prevents attacks by users minting new tokens or trying to vote with unaccepted tokens. Some voting strategies will allow voting with multiple tokens, which will need to be handled in the code logic.

The OpenZeppelin Address (opens in a new tab) and SafeERC20Upgradeable (opens in a new tab) contracts provide safe transfer methods for native tokens and ERC20 tokens. 

// native token transfer example
AddressUpgradeable.sendValue(payable(_grantAddress), _amount);

// erc20 transfer example
DistributionStrategy Library