Unauthorized Vote Casting Vulnerability
Summary
The recordVote function allows recording a vote for a given proposal. However, it lacks a restriction ensuring that only the voter themselves can cast their vote. This opens a potential vulnerability where a malicious user could call this function on behalf of another user, potentially influencing the voting process unfairly.
Affected Function
Issue Description
The function does not include an access control mechanism to verify that
msg.senderis the actualvoter.A malicious actor could execute this function and pass any address as the
voter, effectively forcing other users to vote on a proposal without their consent.
Impact
Unauthorized voting could manipulate governance decisions.
Users may unknowingly have their votes cast for proposals they do not support.
The integrity of the voting process is compromised.
Recommendation
Add a check to ensure that only the voter themselves can call this function by verifying msg.sender:
This modification ensures that only the voter (the caller of the function) can cast their own vote, preventing unauthorized voting.
Lead Judging Commences
veRAACToken::recordVote lacks access control, allowing anyone to emit fake events
veRAACToken::recordVote lacks access control, allowing anyone to emit fake events
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.