Core Contracts

Summary

Governance::castVote uses the user's latest voting power instead of the voting power at a predefined time from the past.
Since the voting power can be increased by locking more tokens, users are able to manipulate the vote results.

Vulnerability Details

Users can lock Raac tokens to receive veRaac tokens which are used as decaying voting power.
The amount of veRaac tokens minted and initial voting power is given by the following formula:

The voting power depends on the amount of locked tokens and on the lock duration.
The voting power decays liniarely to 0 at unlock time.

Governance uses _veToken.getVotingPower(msg.sender) to get an user voting power on castVote.

The getVotingPower]() returns the lates decayed voting power:

The usage of getVotingPower in governance leads to following problems:

• the same 1000 votingPower is worth more at the beginning of voting period than right before the voting closes.
  The voting period can take up to 4 weeks;

• an user, unhappy with the proposal's vote result, can increase (or extend) his locked tokens, obtaining more voting power. Then he can vote decisively right before voting period ends, reversing the vote result.

Impact

Governance voting is unfair.
Governance voting is susceptible to manipulation. The manipulation is straight forward: mint more voting power then vote.

Tools Used

Recommendations

Update the Governance::castVote function and use the voting power users had at a predefined time in the past. (eg. when the proposal was created).
The checkpoint sistem implemented in veToken can be used to retrieve the voting power at a specific block.