Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Unauthorized Vote Recording in recordVote Function

oxelmiguel

Summary

The veRAACToken::recordVote function lacks access control, allowing anyone to record votes on behalf of any voter. This critical vulnerability could enable malicious actors to manipulate the protocol's governance system.

Vulnerability Details

The vulnerability is located in the recordVote function :

function recordVote(

address voter,

uint256 proposalId

) external {

if (_hasVotedOnProposal[voter][proposalId]) revert AlreadyVoted();

_hasVotedOnProposal[voter][proposalId] = true;

uint256 power = getVotingPower(voter);

emit VoteCast(voter, proposalId, power);

}

The function does not restrict who can call it. Any external address can call recordVote and record a vote on behalf of any voter.
This allows malicious actors to manipulate the voting system by recording votes for other users.

Impact

Malicious actors could record votes on behalf of other users, preventing those users from voting on proposals themselves and potentially skewing the results of governance proposals.

Tools Used

Manual Code Review

Recommendations

1. Add Access Control

Restrict the recordVote function to authorized callers, such as the governance contract or a specific voting module. For example:

function recordVote(

address voter,

uint256 proposalId

) external onlyVotingModule { // <-- Add access control modifier

if (_hasVotedOnProposal[voter][proposalId]) revert AlreadyVoted();

_hasVotedOnProposal[voter][proposalId] = true;

uint256 power = getVotingPower(voter);

emit VoteCast(voter, proposalId, power);

}

Define the onlyVotingModule modifier to restrict access:

address private immutable votingModule;

modifier onlyVotingModule() {

if (msg.sender != votingModule) revert Unauthorized();

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

veRAACToken::recordVote lacks access control, allowing anyone to emit fake events

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

veRAACToken::recordVote lacks access control, allowing anyone to emit fake events

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!