Submission Details
Severity:
malicious user can cast votes from other users behalf
Summary
malicious user can vote from other users behalf unrestricted
Vulnerability Details
in function `recordVote` in `veRAACToken.sol`` , the function accepts two parameters when called `address voter ` and `proposalid`
they dont check if `msg.sender` is the provided address.
malicious user can record votes to `proposalid` unrestricted as he can pass addresses of other users and vote , manipulating voting and Proposals .
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/veRAACToken.sol#L408-L417
Impact
malicious user can record votes to proposal id unrestricted , manipulating voting and taking the right of the specified user that his vote is being casted on his behalf to vote .
Tools Used
manual review
Recommendations
verify msg.sender is the address provided in the function if the intention is to be unrestricted functionality used from users of the protocol or restrict the function to be able to be called only by trusted admin role.
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
veRAACToken::recordVote lacks access control, allowing anyone to emit fake events
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.