[H] Missing Authorization Check in `recordVote` Function in `veRAACToken`
Summary
The recordVote function in the veRAACToken contract does not check the msg.sender, allowing anyone to call this function with any voter address. This can lead to unauthorized recording of votes.
Vulnerability Details
The current recordVote function in the veRAACToken contract is:
The function does not check the msg.sender, allowing anyone to call this function with any voter address.
Links:
Impact
This bug can lead to unauthorized recording of votes, potentially compromising the integrity of the voting process within the protocol.
Tools Used
Manual code review.
Recommendations
Add an authorization check to ensure that only authorized addresses can call the recordVote function. The corrected function should be:
Additionally, define the onlyAuthorized modifier to restrict access to the function:
This ensures that only authorized addresses can call the recordVote function, maintaining the integrity of the voting process.
Lead Judging Commences
veRAACToken::recordVote lacks access control, allowing anyone to emit fake events
veRAACToken::recordVote lacks access control, allowing anyone to emit fake events
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.