Scrawny Mustard Tadpole
Medium
There exists an allowlist when a boost is created , it defines all who can perform the action on the boost. But this allowlist is not checked in the AContractAction which holds the execute function.
1.) A boost is created and an allowlist is provided for the boost which acts like a whitelist for the boost ->
This can either be a allowlist or a deny list (blacklisted addresses)
2.) Imagine Alice was blacklisted for the above boost , but she can still perform the action ( contract action , moreover there is no such check in any action like EventAction ) , this is because in the AContractAction there is no check if Alice is in the blacklist or not ->
Blacklisted users can perform actions and claim incentives.
Manual Review
Check if the user performing the action is permitted or not.