Missing Access Control on Vote Recording Allows Arbitrary Vote Spoofing
Summary
The recordVote function in veRAACToken lacks access control, allowing anyone to record votes on behalf of any user, potentially compromising the integrity of the governance system. This vulnerability could be exploited to manipulate voting outcomes by falsely recording votes for arbitrary addresses.
Vulnerability Details
The recordVote function in veRAACToken is designed to record votes for governance proposals and prevent double voting. However, its implementation has a critical security flaw:
The key issues is that:
The function lacks any modifier or check to verify that the caller is authorized to record votes. Unlike other sensitive functions in the contract that use modifiers like onlyOwner or check for specific roles, this function is completely unprotected.
The proper implementation should ensure that only:
The actual voter (msg.sender) can record their own vote
Or a designated governance contract with proper authorization can record votes
PoC
Alice holds 1000 veRAACToken and intends to vote on proposal ID 1
Bob (malicious actor) calls
recordVote(alice, 1)before Alice can voteThe transaction succeeds, recording a vote for Alice without her consent
When Alice tries to actually vote on proposal 1, the transaction reverts with
AlreadyVotedBob has effectively blocked Alice from participating in governance
Impact
Unauthorized recording of votes for any address
Denial of legitimate voting rights
Manipulation of governance outcomes
False voting records that could affect governance decisions
Tools Used
Manual code review
Recommendations
Add authentication to ensure only authorized entity can record voter's vote.
Lead Judging Commences
veRAACToken::recordVote lacks access control, allowing anyone to emit fake events
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.