Lack of fine charging on veRAACToken.emergencyWithdraw() gives anyone humongous voting powers
Description
As there are no fine charging mechanisms implemented on emergencyWithdraw(), anybody can easily vote with infinite voting powers either in favour of any proposal or against any proposal.
Imagine this Attack Scenario:
assume emergency withdrawals are enabled in veRAACToken and there is some cruicial proposal proposalX in Governance that is needed to be executed.
now the attacker wants to vote against it with infinite power
attacker locks in veRAACToken with x amounts for getting some voting powers
attacker casts vote against proposalX via Governance.castVote()
attacker calls veRAACToken.emergencyWithdraw() and gets back his underlying raac tokens.
attacker transfers raac tokens to his another addressB
From addressB attacker repeats same previous 4 steps, locks, votes, emergencyWithdraws and transfers underlying raac tokens to addressC
The attacker repeats the same attack flow with as many addresses as possible until he votes againts proposalX with humongous amounts
The result, criticaly needed proposal can never be executed, not only that attacker can vote in favour of malicious proposals with his infinte powers too.
Recommendations
make sure to take a little fine on every emergencyWithdraw() like flat 10% or dynamic % that decrease towards the expected locked duration
Lead Judging Commences
Governance.castVote uses current voting power instead of proposal creation snapshot, enabling vote manipulation through token transfers and potential double-voting
Governance.castVote uses current voting power instead of proposal creation snapshot, enabling vote manipulation through token transfers and potential double-voting
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.