Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

No validation performed on veRAACToken::recordVote

oxaudron

Summary

Besides not having access control implemented there is also no validation performed to check if the voter has voting power or not, and vote should be casted/recorded based on that. However that's not the case.

Vulnerability Details

It's quite observable that, the voting power for voter is calculated but no validation checks are performed like if the voter has enough power to vote.

function recordVote(
address voter,
uint256 proposalId
) external {
if (_hasVotedOnProposal[voter][proposalId]) revert AlreadyVoted();
_hasVotedOnProposal[voter][proposalId] = true;
uint256 power = getVotingPower(voter);
emit VoteCast(voter, proposalId, power);
}

Currently the recordVote is very vague, and nothing is implemented correctly. But these two are must have based on documentation/specification.

Impact

  • Users not having voting power can even vote making it accessible to everyone to vote

Tools Used

Manual Review

Recommendations

Perform validations for voting power (along with access control as well, this was already submitted as the root cause was different):

function recordVote(
address voter,
uint256 proposalId
) external {
voter = msg.sender
if (_hasVotedOnProposal[voter][proposalId]) revert AlreadyVoted();
uint256 power = getVotingPower(voter);
if (power > 0) {
_hasVotedOnProposal[voter][proposalId] = true;
}
emit VoteCast(voter, proposalId, power);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!