Malicious user can call veRAACToken.recordVote() on behalf of other users
Summary
Malicious user can call veRAACToken.recordVote() on behalf of other users
Vulnerability Details
veRAACToken.recordVote() can be called by anybody to make input address vote for a given proposalId, emitting an event with the current votingPower of voter. A malicious user could take advantage and use another users' votingPower to vote for proposals malicious user is interested in without voter's permission. It can also limit the voter by voting a proposalId with a lower votingPower than voter would like to have when voting, as a voter cannot vote twice for the same proposal.
Impact
votingPower loses its value as any user can use others' votingPower. Malicious user can act to support desired proposals with others' votingPower or prevent them from voting a given proposalId by calling `_hasVotedOnProposal[voter][proposalId]`when user has little votingPower.
Tools Used
Manual review
Recommendations
Only allow a user to vote using their own voting power, not others':
Lead Judging Commences
veRAACToken::recordVote lacks access control, allowing anyone to emit fake events
veRAACToken::recordVote lacks access control, allowing anyone to emit fake events
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.