Incorrect Voting Power Calculation in GaugeController::vote Function
Summary
The vote function is responsible for allowing users to assign voting weight to a gauge based on their veRAAC token balance. However, instead of using the getVotingPower function to calculate the user's actual locked voting power, the function incorrectly uses balanceOf(msg.sender).
Since balanceOf only checks the user's current balance and does not account for vesting or locked states, users can temporarily acquire veRAAC tokens, vote, and then return or transfer them, while their vote remains counted.
This introduces a vote manipulation vulnerability, where users can borrow, delegate, or transfer tokens solely for the purpose of voting, thus inflating their influence unfairly.
Vulnerability Details
The function incorrectly retrieves the user's voting power by calling balanceOf(msg.sender).
balanceOf only returns the current transferable balance but does not check if the tokens are actually locked (which is required for voting).
The function should use getVotingPower(msg.sender), which considers only locked veRAAC tokens.
A user can borrow veRAAC tokens, vote, and then return them, retaining the vote despite no longer holding any tokens. Since there is no verification that tokens remain locked, voting power is artificially inflated.
Impact
Users can temporarily acquire veRAAC tokens, vote, and return them, manipulating voting outcomes.
Tools Used
Manual Review
Recommendations
Use getVotingPower Instead of balanceOf
Lead Judging Commences
BaseGauge::_applyBoost, GaugeController::vote, BoostController::calculateBoost use balanceOf() instead of getVotingPower() for vote-escrow tokens, negating time-decay mechanism
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.