`validateVoteHash` does not confirm the vote result

[code423n4]

Handle

cmichel

Vulnerability details

Vulnerability Details

The validateVoteHash function only checks if the individual voting power (conviction score) is indeed correct, but it does not verify if the outcome of the vote is correct, i.e., it's possible for a guardian to submit completely different forVotes/againstVotes in __castOffchainVotes changing the proposal outcome.

Impact

The guardian needs to be trusted to submit the correct forVotes and againstVotes such that they match the votes in the voteHash. The issue is that this cannot be easily verified.

Legitimate users can be tricked into thinking the result is correct by checking if their vote & support is contained in votes and recomputing the voteHash themselves. They then call validateVoteHash which "confirms" the guardian result. However, in reality, the guardian could have submitted arbitrary forVotes/againstVotes values.

This makes the current validation system kind of useless.

Recommended Mitigation Steps

Sum up the for/against votes in the votes array of validateVoteHash and check if it matches the proposal.forVotes/againstVotes.

[fairside-core]

The VotePack struct contains a bool indicating whether there was support for a proposal or not and the validateVoteHash function hashes all submitted votes meaning that it is not possible to obscure the for and against votes as they can be calculated off-chain.

In any case, this is purely an off-chain utility function and as such, the severity should be reduced to non-critical (0).

[cemozerr]

Labeling this as non-critical as validateVoteHash is an external function.