Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Multiply Voting Attack in Governance:castVote via Transferable Voting Power leads to vote manipulation

kkk

Summary

The Governance contract contains a critical vulnerability in its castVote function . Although there is a check to prevent an address from voting more than once, the contract does not lock or snapshot the voting power at the time of voting. Consequently, an attacker can vote using one address, transfer their voting power to another address, and cast additional votes on the same proposal. This loophole can be exploited to manipulate proposal outcomes.

Vulnerability Details

In the castVote function, the contract checks if an address has already voted:

if (proposalVote.hasVoted[msg.sender]) { // <- FOUND

revert AlreadyVoted(proposalId, msg.sender, block.timestamp);

}

This check only prevents duplicate votes from the same address. There is no mechanism to lock or snapshot the voter’s power at the time of vote casting. As a result, after voting, an attacker can transfer their voting power to another address and vote again on the same proposal. This means that the same voting power can be used repeatedly, potentially leading to a manipulated outcome in favor of the attacker.

Impact

Impact is high as attacker can easily impact on proposals and may change the direction of voting to its sides.

Likelihood is also high, as no any prevention mechanism implemented, so an attacker can use this vulnerability each time.

• Manipulation of Governance Decisions: An attacker can artificially inflate their voting power, leading to unjustified approvals or rejections of proposals.

• Undermined Trust: The integrity of the governance process is compromised, potentially causing a loss of confidence in the protocol.

• Centralization Risk: Repeated exploitation may concentrate control in the hands of a few, skewing decentralized decision-making processes.

Imagin an attacker have a high voting power, an attacker can create several addresses to transfer voting power to these addresses, furthermore can cast for different proposals.

Tools Used

• Manual code review

Recommendations

• Implement a Voting Power Lock or Snapshot Mechanism: Modify the contract to lock or snapshot the voting power at the time of vote casting. This would prevent voters from transferring their tokens and reusing the voting power across different addresses.

• Enhance the Token Contract or Governance Logic: Consider integrating a mechanism within the token contract to lock tokens during the voting period or maintain a separate record in the governance contract to track locked voting power.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!