Public `conclude` method has no checks

More accurately, the only check is that the channel is not already finalized.

It's therefore trivial to finalize a channel with any outcome I like, and thereby steal other participants' money.

force-move-protocol/packages/fmg-nitro-adjudicator/contracts/NitroAdjudicator.sol

Lines 291 to 293 in a63ce0e

    
           function conclude(ConclusionProof memory proof) public { 
        
               _conclude(proof); 
        
           }

and

force-move-protocol/packages/fmg-nitro-adjudicator/contracts/NitroAdjudicator.sol

Lines 466 to 480 in a63ce0e

    
           function _conclude(ConclusionProof memory proof) internal { 
        
               address channelId = proof.penultimateCommitment.channelId(); 
        
               require( 
        
                   (outcomes[channelId].finalizedAt > now || outcomes[channelId].finalizedAt == 0), 
        
                   "Conclude: channel must not be finalized" 
        
               ); 
        
               outcomes[channelId] = Outcome( 
        
                   proof.penultimateCommitment.destination, 
        
                   now, 
        
                   proof.penultimateCommitment, 
        
                   proof.penultimateCommitment.allocation 
        
               ); 
        
               emit Concluded(channelId); 
        
           }

	function conclude(ConclusionProof memory proof) public {
	_conclude(proof);
	}

	function _conclude(ConclusionProof memory proof) internal {
	address channelId = proof.penultimateCommitment.channelId();
	require(
	(outcomes[channelId].finalizedAt > now \|\| outcomes[channelId].finalizedAt == 0),
	"Conclude: channel must not be finalized"
	);

	outcomes[channelId] = Outcome(
	proof.penultimateCommitment.destination,
	now,
	proof.penultimateCommitment,
	proof.penultimateCommitment.allocation
	);
	emit Concluded(channelId);
	}