Lack of access control in recordVote() allows unauthorized Voting
Summary
The recordVote() function in veRAACToken lacks proper access control, allowing any user to record votes on behalf of any other address. This completely compromises the voting system's integrity by enabling vote impersonation.
Vulnerability Details
The recordVote() function accepts an arbitrary voter address parameter without verifying that the caller (msg.sender) is authorized to vote for that address:
A malicious actor can call this function with any address as the voter parameter, effectively casting votes on behalf of other users without their permission.
Impact
Vote Hijacking: Attackers can cast unauthorized votes using other users' voting power
Denial of Service: Once a vote is recorded for an address, the legitimate owner cannot vote
Governance Manipulation: Malicious actors can control proposal outcomes by impersonating large token holders
Recommendations
Modify the function to use msg.sender as the voter, removing the ability to specify an arbitrary address:
Lead Judging Commences
veRAACToken::recordVote lacks access control, allowing anyone to emit fake events
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.