Weight Manipulation Exploit
Summary
The castVote()function retrieves the current voting power at the time of voting using
This allows users to increase their veToken holdings after a proposal has started and vote with an inflated influence
Vulnerability Details
A proposal is created, and voting begins.
A user has low
veTokenholdings at the startThe user observes early votes and buy more
veTokensThe user calls
castVote(), and the function fetches their updated (higher) voting power.The user casts a disproportionately large vote, manipulating governance outcomes.
This exact issue was exploited in compound finance (COMP Governance), where users were able to borrow COMP tokens and vote with them, significantly influencing proposal outcomes.
Impact
Governance takeover and undermines the legitimacy of user
Tools Used
Bypassing fair voting
Recommendations
Implement snapshot based voting power at the time of proposal creation.
Modify castVote() to use the stored snapshot instead of live balances.
Prevent mid-vote power accumulation from affecting voting weight
Governance should be predictable: users should not be able to change voting power after proposal creation.
Taking snapshot ensures fairness.
Lead Judging Commences
Governance.castVote uses current voting power instead of proposal creation snapshot, enabling vote manipulation through token transfers and potential double-voting
Governance.castVote uses current voting power instead of proposal creation snapshot, enabling vote manipulation through token transfers and potential double-voting
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.