Double Voting Through Token Transfer
Summary
The voting power calculation in the governance system lacks proper checkpointing, allowing users to vote multiple times by transferring tokens between addresses.
Vulnerability Details
The castVote function in the Governance contract uses getVotingPower() without block number parameters:
This allows a malicious user to:
Vote with their current voting power
Transfer their veRAAC tokens to another address
Vote again from the new address
Potentially repeat this process multiple times
The lack of historical voting power tracking enables this double-voting attack vector.
Impact
Double voting possibility through token transfers
Manipulation of governance decisions
Undermined voting integrity
Potential for malicious proposals to pass through vote multiplication
Tools Used
Manual code review
Analysis of governance implementation
Review of voting power calculation mechanisms
Recommendations
Implement a
getPriorVotingPower(address account, uint256 blockNumber)function that returns historical voting powerModify the
castVotefunction to use voting power from the proposal creation block:
Lead Judging Commences
Governance.castVote uses current voting power instead of proposal creation snapshot, enabling vote manipulation through token transfers and potential double-voting
Governance.castVote uses current voting power instead of proposal creation snapshot, enabling vote manipulation through token transfers and potential double-voting
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.