Unauthorized Vote Recording in veRAACToken
Summary
The recordVote function in veRAACToken allows anyone to record a vote for any user. This enables an attacker to falsely mark a user as having voted, preventing them from casting their actual vote. The issue arises due to the absence of an access control mechanism in the function.
Vulnerability Details
The function recordVote() does not verify if the caller (msg.sender) is the same as the voter.
Any external user can call recordVote(voter, proposalId), updating _hasVotedOnProposal[voter][proposalId] = true.
This prevents the actual voter from participating in governance.
The issue can be found here:
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/tokens/veRAACToken.sol#L408-L417
Impact
Attackers can selectively block users from voting by marking them as already voted. Malicious actors could manipulate governance decisions by preventing key stakeholders from voting.
Tools Used
Manual Review
Recommendations
Modify recordVote() to allow only the voter to record their own vote.
Lead Judging Commences
veRAACToken::recordVote lacks access control, allowing anyone to emit fake events
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.