Submission Details
Severity:
Anyone can vote on behalf of the others
Summary
Anyone can vote on proposals on behalf of other users.
Vulnerability Details
There's a function recordVote inside veRAACToken.sol which records votes for a proposal:
function recordVote(
address voter,
uint256 proposalId
) external {
if (_hasVotedOnProposal[voter][proposalId]) revert AlreadyVoted();
_hasVotedOnProposal[voter][proposalId] = true;
uint256 power = getVotingPower(voter);
emit VoteCast(voter, proposalId, power);
}
As you can see, anyone can call this function with any address as the voter and vote on behalf of someone else.
Impact
This vulnerability allows unauthorized users to vote on proposals using the voting power of other users, potentially manipulating outcomes.
Tools Used
Manual Review
Recommendations
function recordVote(
address voter,
uint256 proposalId
) external {
+ require(voter == msg.sender, "unauthorized voting");
if (_hasVotedOnProposal[voter][proposalId]) revert AlreadyVoted();
_hasVotedOnProposal[voter][proposalId] = true;
uint256 power = getVotingPower(voter);
emit VoteCast(voter, proposalId, power);
}
Updates
Lead Judging Commences
inallhonesty 6 months ago
Submission Judgement Published Assigned finding tags:
veRAACToken::recordVote lacks access control, allowing anyone to emit fake events
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.