Unauthorized Voting on Emission Direction Without veRAAC Tokens
Summary
The voteEmissionDirection function in RAACGauge.sol allows any address to vote on emission direction without requiring ownership of veRAAC tokens. This means:
Anyone can call the function, even if they don’t hold
veRAAC.No token requirement allows unauthorized users to influence emissions.
Votes can exceed the maximum limit of
10,000, leading to potential abuse.
Affected Code: RAACGauge::voteEmissionDirection
Vulnerability Details
The voteEmissionDirection function is accessible to any external address without proper validation of the caller's veRAAC token balance. The lack of access control or balance verification allows malicious actors to submit votes and manipulate emission direction.
Affected Code:
POC
Paste this code into the RAACGauge.test.js file.
In this test, user1 can vote successfully despite not holding any veRAAC tokens.
Impact
Unauthorized manipulation of emission direction can disrupt the protocol's reward distribution mechanism, potentially directing emissions away from legitimate stakeholders.
Max limit bypass – No restriction prevents setting values beyond 10,000.
Tools Used
Manual Code Review
Hardhat
Recommendations
-
Modify the Function:
UpdatevoteEmissionDirectionto include a balance check:function voteEmissionDirection(uint256 direction) external whenNotPaused {+ if (veRAAC.balanceOf(msg.sender) == 0) revert UnauthorizedVote();+ require(direction <= 10000);voteDirection(direction);}
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.