reputation badges can be transferred to others for higher voting power than delegation

[code423n4]

Lines of code

https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/nft/ReputationBadge.sol#L39

Vulnerability details

Impact

Reputation badges can be transferred to others for higher voting power than delegation.

Proof of Concept

According to README.md, reputation NFTs are minted to award users and can be used in governance to give a multiplier to the user's voting power. So it has two functions:

1. Represent the reputation a user got.
2. Give the user more voting power.

However, a user can transfer his reputation NFTs to others for more voting power than delegation. Here is a PoC:

1. A reputation token can multiply one's voting power by 1.5 times.
2. Alice got the reputation NFT and has 10 voting power.
3. Bob has 100 voting power.
4. If Alice delegates her voting power to Bob, Bob will have 100+15=115 voting power. But if she transfers the NFT to Bob (then delegates), Bob will have 150(+10) voting power.
5. Bob gets the NFT (maybe buying it) for more voting power and reputation.

As shown above, we shouldn't allow reputation transfer as it can be used to tamper voting power and also present wrong reputations.

Tools Used

Manual Review.

Recommended Mitigation Steps

ReputationBadge.sol should override transfer and approve functions in the ERC-1155 contract it inherited.

Assessed type

Governance

[141345]

seems expected behavior.

This one seems more suitable for analysis report.

[c4-sponsor]

PowVT marked the issue as sponsor acknowledged

[c4-sponsor]

PowVT marked the issue as disagree with severity

[PowVT]

We definitely acknowledge the consequences here, but we prefer the badges to be transferrable.

[0xean]

I think this comes down to a design choice rather than a high severity issue, will mark as QA.

[c4-judge]

0xean changed the severity to QA (Quality Assurance)

[c4-judge]

0xean marked the issue as grade-a