Dynamic Voting Power Snapshot Vulnerability
Summary
The castVote function in Governance contract checks a voter’s current voting power at the time of voting (using _veToken.getVotingPower(msg.sender)), which is dynamic and can be manipulated, rather than using a historical snapshot of voting power at the proposal’s start.
Vulnerability Details
The governance contract does not snapshot or freeze voting power at the beginning of the voting period, relying instead on the live balance at vote time.
Imagine a user with a normal voting power of 1,000 veRAAC who borrows an additional 10,000 tokens just before voting. They could vote with an effective power of 11,000, despite their long-term stake being much lower. This temporary spike would unfairly tilt the vote in their favor.
Impact
This allows users to temporarily boost their voting power—such as via flash loans or short-term token deposits—to cast disproportionately influential votes, undermining the fairness and stability of the governance process.
Recommendations
Implement a snapshot mechanism that records each voter’s voting power at the start of the voting period (or at proposal creation). Use this snapshot value for all vote calculations, preventing manipulation via temporary token movements.
Lead Judging Commences
Governance.castVote uses current voting power instead of proposal creation snapshot, enabling vote manipulation through token transfers and potential double-voting
Governance.castVote uses current voting power instead of proposal creation snapshot, enabling vote manipulation through token transfers and potential double-voting
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.