Core Contracts

Summary

In the Governance.sol contract the castVote function's effectiveness depends on when it is executed, as the longer the transaction stays in the mempool, the more voting power a user loses. Implementing a deadline for voting can mitigate this issue.

Vulnerability Details

The vulnerability arises from the castVote function, which allows users to vote on proposals based on their voting power at the time of execution. However, the voting power of veRAAC token holders decays linearly over time. If a user's vote transaction stays in the mempool for an extended period, their voting power decreases, leading to a lower vote weight than intended. This can result in inaccurate vote counts and potentially affect the outcome of proposals.

Example Scenario

Consider the following scenario:

1. A user with 100,000 veRAAC tokens casts a vote on a proposal.

2. The user's voting power decays over time due to the nature of veRAAC tokens.

3. If the vote transaction stays in the mempool for several hours, the user's voting power decreases to 95,000 veRAAC tokens by the time the transaction is executed.

4. The user's vote is counted with a weight of 95,000 instead of the intended 100,000, leading to an inaccurate vote count.

Impact

The impact of this vulnerability is that it can lead to inaccurate vote counts and potentially affect the outcome of proposals. Users may not have their full voting power counted if their vote transactions stay in the mempool for an extended period. This undermines the integrity and fairness of the governance process, as the vote counts may not accurately reflect the true voting power of participants.

Tools Used

Manual Review

Recommendations

To mitigate this vulnerability, implement a deadline for voting to ensure that votes are cast and counted within a specific time frame.