Core Contracts

Summary

The proposalPowerSnapshots state variable in the veRAACToken contract is never explicitly initialized, yet it is used in the getVotingPowerForProposal function. This lack of initialization can lead to incorrect voting power calculations and compromise the governance process.

Vulnerability Details

In the veRAACToken contract, a state variable named proposalPowerSnapshots is declared to keep track of voting power snapshots for proposals. However, the variable is never explicitly initialized or populated with meaningful data during contract deployment or before it is used. The function getVotingPowerForProposal(address, uint256)

relies on proposalPowerSnapshots to calculate a user's voting power for a given proposal. Since uninitialized state variables default to empty values (e.g., zero for numeric types or empty mappings/arrays), any operations or lookups performed on proposalPowerSnapshots will not return the expected historical data. This oversight may result in:

1. Voting power being calculated as zero or incorrect values.

2. The governance process not reflecting the actual token stake of users.

3. Potential manipulation or denial of valid votes if the system treats a zero snapshot as an indication of no voting power.

The vulnerability stems from the assumption that proposalPowerSnapshots would be properly set up prior to use, but without explicit initialization, the contract's logic that depends on this variable becomes unreliable.

Impact

Improper initialization of proposalPowerSnapshots directly affects the calculation of voting power. Since governance decisions often depend on accurate voting power distribution:

1. Incorrect Governance Outcomes: Valid proposals might be rejected or passed based on faulty voting power data.

2. Financial and Reputational Risks: Miscalculation of voting power could lead to decisions that negatively impact token holders, undermining trust in the protocol.

3. Potential Exploitation: An attacker might exploit the flaw by influencing other parts of the contract, knowing that the snapshots are not correctly maintained, thereby skewing governance results.

Consider the following simplified scenario:

1. A user stakes tokens and expects their voting power to be recorded in proposalPowerSnapshots.

2. However, since proposalPowerSnapshots is never initialized or updated, any lookup (e.g., proposalPowerSnapshots[user]) will return zero.

3. When the user calls getVotingPowerForProposal, the function uses the uninitialized snapshot value, resulting in a computed voting power of zero or an incorrect amount, regardless of the actual tokens staked.

Tools Used

github

Recommendations

To resolve this vulnerability, ensure that proposalPowerSnapshots is properly initialized and maintained. This can be done by:

1. Initializing the Variable:
   Explicitly initialize proposalPowerSnapshots in the constructor or during a designated initialization phase.

2. Updating the Snapshot Logic:
   Modify functions that update voting power (such as during token staking or proposal creation) to correctly record snapshots in proposalPowerSnapshots.