Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Lack of Access Control in `veRAACToken::recordVote` Function Allows Unauthorized Vote Recording

0x23r0

Summary

The recordVote function in the veRAACToken contract is exposed externally without proper access control. This design flaw allows any caller to record votes on behalf of arbitrary addresses. As a result, malicious actors can impersonate voters or mark legitimate voters as having already voted, potentially manipulating governance outcomes.

Vulnerability Details

The recordVote function accepts a voter address as a parameter and does not enforce any restrictions on who can call it.

function recordVote(

address voter,

uint256 proposalId

) external {

if (_hasVotedOnProposal[voter][proposalId]) revert AlreadyVoted();

_hasVotedOnProposal[voter][proposalId] = true;

uint256 power = getVotingPower(voter);

emit VoteCast(voter, proposalId, power);

}

Checks if the given voter has already voted on the proposal using the _hasVotedOnProposal mapping.
Marks the voter as having voted and then retrieves the voter's current voting power.

Since there is no mechanism to verify that the caller is the intended voter or to restrict who can set the voting status, an attacker can call recordVote and supply any arbitrary address as the voter. This can falsely mark an account as having voted even if the account owner did not intend to cast a vote.

Assume address A is a legitimate voter who has not yet voted on proposal 1.
The _hasVotedOnProposal mapping for address A and proposal 1 is false.
An attacker calls recordVote with parameters:
- voter = address A
- proposalId = 1
The function checks _hasVotedOnProposal[A][1], finds it false, and proceeds to mark it as true.
The function then retrieves the voting power for address A and emits a VoteCast event with address A as the voter.
Address A is now recorded as having voted on proposal 1, even though they did not cast a vote.
When address A later attempts to vote legitimately, they will be prevented from doing so because _hasVotedOnProposal[A][1] is already set to true.

Impact

Unauthorized vote recording can alter the outcome of governance proposals by preventing legitimate votes or by falsely registering votes.

Tools Used

Manual Review

Recommendations

Modify the recordVote function to ensure that only the voter (i.e., msg.sender) can record their own vote, either by checking that msg.sender equals the provided voter address or by removing the voter parameter altogether.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Validated

Assigned finding tags:

veRAACToken::recordVote lacks access control, allowing anyone to emit fake events

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Validated

Assigned finding tags:

veRAACToken::recordVote lacks access control, allowing anyone to emit fake events

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.