Malicious users can use more votes than they are supposed to have
Summary
Malicious users can use more votes than they are supposed to have
Vulnerability Detail
Users have a certain amount of voting tokens based on their unclaimed tokens and the voting factor. DAOs integrating the protocol would let users vote for important decisions using their voting tokens. However, users can use more votes than they are supposed to have because of an issue with the protocol.
Imagine the following scenario:
Bob has 100 unclaimed tokens and the vote factor is 2, thus he is supposed to have 200 voting tokens (we are ignoring fractionDenominator for simplicity purposes)
An admin decides to change the voting factor to 1:
Now, Bob is supposed to have 100 voting tokens, however they are still not updated as _reconcileVotingPower() has not been called
Bob decides to vote on an important proposal and votes with his full balance of 200 voting tokens
The protocol integrating would have to call _reconcileVotingPower() for every voter to make sure their voting power is actually updated however the issue is that the function is private
This essentially allows Bob to still vote with 200 tokens despite him only actually having access to 100. The _reconcileVotingPower() function can only be called using other functions in the AdvancedDistributorInitializable contract however these functions have a completely different goal and purpose and the protocol integrating is definitely not supposed to be calling them just to update the voting power of a voter.
Impact
Malicious users can use more votes than they are supposed to have
samuraii77
high
Malicious users can use more votes than they are supposed to have
Summary
Malicious users can use more votes than they are supposed to have
Vulnerability Detail
Users have a certain amount of voting tokens based on their unclaimed tokens and the voting factor. DAOs integrating the protocol would let users vote for important decisions using their voting tokens. However, users can use more votes than they are supposed to have because of an issue with the protocol.
Imagine the following scenario:
fractionDenominator
for simplicity purposes)_reconcileVotingPower()
has not been called_reconcileVotingPower()
for every voter to make sure their voting power is actually updated however the issue is that the function is privateThis essentially allows Bob to still vote with 200 tokens despite him only actually having access to 100. The
_reconcileVotingPower()
function can only be called using other functions in theAdvancedDistributorInitializable
contract however these functions have a completely different goal and purpose and the protocol integrating is definitely not supposed to be calling them just to update the voting power of a voter.Impact
Malicious users can use more votes than they are supposed to have
Code Snippet
https://github.com/sherlock-audit/2024-05-tokensoft-distributor-contracts-update/blob/67edd899612619b0acefdcb0783ef7a8a75caeac/contracts/packages/hardhat/contracts/claim/factory/AdvancedDistributorInitializable.sol#L85-L99
Tool used
Manual Review
Recommendation