Users can vote twice via withdraw/lock RAAC
Summary
Users can vote twice via withdraw/lock RAAC
Vulnerability Details
In GaugeController, the veRAAC holders can vote for the gauge they want. And the admin will distribute the rewards according to different gauges' weight.
We will use the veRAACToken.balanceOf(msg.sender) as the voting power. The problem here is that users can vote for the gauge twice if the veRAAC can be withdrawn. Users can vote for one gauge at first, then withdraw veRAAC to get RAAC, lock RAAC again to another address. Then we can use another address to vote the same gauge twice.
For example:
Alice locks RAAC to get some veRAAC in timestamp X, the locking period is 1 year.
Alice votes gauge A in timestamp X + 1 years - 3 days.
When the time reaches timestamp X + 1 years, Alice withdraw veRAAC and then transfer RAAC to another address Bob.
Bob locks the RAAC to get some veRAAC in timestamp X + 1 years. In this way, we can use the same RAAC token to vote twice for the same gauge.
Impact
Users can vote twice to increase one gauge's voting weight via withdraw/lock RAAC. Then users may get more rewards than expected.
Tools Used
Manual
Recommendations
If veRAAC tokens are used to vote for the gauge, we cannot withdraw these veRAAC token.
Lead Judging Commences
GaugeController::vote never enforces VOTE_DELAY or updates lastVoteTime, allowing users to spam votes and manipulate gauge weights without waiting
GaugeController::vote never enforces VOTE_DELAY or updates lastVoteTime, allowing users to spam votes and manipulate gauge weights without waiting
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.