Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Impersonation Risk in Voting Mechanism

dharkartz

Summary

The recordVote function implementation lacks sender verification, enabling potential vote manipulation through impersonation. Any user can cast votes on behalf of others, compromising the voting system's integrity.

Affected Function

function recordVote(
address voter,
uint256 proposalId
) external {
if (_hasVotedOnProposal[voter][proposalId]) revert AlreadyVoted();
_hasVotedOnProposal[voter][proposalId] = true;
uint256 power = getVotingPower(voter);
emit VoteCast(voter, proposalId, power);
}

Issue Description

  • No verification between msg.sender and the provided voter address

  • Allows malicious actors to submit votes using others' addresses

  • Lacks basic access control mechanisms

Impact

  • Compromised voting integrity

  • Unauthorized vote submission risk

  • Potential manipulation of governance decisions

Recommendation

Implement sender verification by modifying the function:

function recordVote(uint256 proposalId) external {
if (_hasVotedOnProposal[msg.sender][proposalId]) revert AlreadyVoted();
_hasVotedOnProposal[msg.sender][proposalId] = true;
uint256 power = getVotingPower(msg.sender);
emit VoteCast(msg.sender, proposalId, power);
}

This ensures vote authenticity by restricting voting actions to the actual token holders.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

veRAACToken::recordVote lacks access control, allowing anyone to emit fake events

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

veRAACToken::recordVote lacks access control, allowing anyone to emit fake events

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.