Voting Power Manipulation
Detects governance voting power manipulation vulnerabilities.
Voting Power Manipulation
Overview
The voting power manipulation detector identifies vulnerabilities in governance systems where voting power can be manipulated through token balance tricks, flash loans, or account state exploitation. It flags reading token balances without snapshot validation, missing delegated voting checks, no flash loan protection, and accepting votes from the same tokens multiple times.
For remediation guidance, see Voting Power Manipulation Remediation.
Why This Is an Issue
Governance systems that derive voting power from current token balance are vulnerable to flash loan attacks: an attacker borrows a large amount of tokens, votes with inflated power, then returns the tokens in the same transaction. Without snapshot-based voting power, attackers can also move tokens between accounts to vote multiple times.
How to Resolve
Before (Vulnerable)
// Vulnerable: reads current balance for voting power
pub fn vote(ctx: Context<Vote>, proposal_id: u64, choice: u8) -> Result<()> {
let power = ctx.accounts.voter_tokens.amount; // Current balance
cast_vote(proposal_id, choice, power)?;
Ok(())
}After (Fixed)
// Fixed: uses snapshot-based voting power
pub fn vote(ctx: Context<Vote>, proposal_id: u64, choice: u8) -> Result<()> {
let proposal = &ctx.accounts.proposal;
let snapshot_slot = proposal.snapshot_slot;
let power = get_voting_power_at_snapshot(
&ctx.accounts.voter, snapshot_slot
)?;
require!(!ctx.accounts.vote_record.has_voted, ErrorCode::AlreadyVoted);
cast_vote(proposal_id, choice, power)?;
ctx.accounts.vote_record.has_voted = true;
Ok(())
}Example JSON Finding
{
"detector": "voting-power-manipulation",
"severity": "high",
"confidence": 0.7,
"message": "Voting power derived from current token balance without snapshot validation",
"location": { "function": "vote", "block": 0, "statement": 1 }
}Detection Methodology
- Voting function identification: Identifies functions with vote-related naming patterns.
- Balance read detection: Flags token balance reads used as voting power.
- Snapshot check search: Looks for timestamp or slot-based snapshot validation.
- Duplicate vote detection: Checks for vote record tracking to prevent double-voting.
Limitations
False positives: Simple voting systems where flash loans are not economically viable. False negatives: Custom governance implementations with non-standard naming.
Related Detectors
- Oracle Data Freshness — stale data usage
- Cross-Program State — state consistency