Skip to main content
Sigvex

Voting Power Manipulation Remediation

How to fix governance voting power manipulation vulnerabilities.

Voting Power Manipulation Remediation

Overview

Related Detector: Voting Power Manipulation

Current-balance voting enables flash loan attacks. The fix is to use snapshot-based voting power, track vote records to prevent double-voting, and implement token lockup during voting periods.

// Use snapshot-based voting power
let power = get_power_at_snapshot(voter, proposal.snapshot_slot)?;
require!(!vote_record.has_voted, AlreadyVoted);
cast_vote(proposal_id, choice, power)?;
vote_record.has_voted = true;

Alternative Mitigations

Token Lockup

Require voters to lock tokens before the voting period begins:

require!(voter_lockup.locked_at <= proposal.voting_start, LockupTooLate);
require!(voter_lockup.locked_until >= proposal.voting_end, LockupTooShort);

Common Mistakes

Mistake: No Double-Vote Prevention

// WRONG: voter can call this multiple times with same tokens
let power = get_snapshot_power(voter)?;
cast_vote(proposal, choice, power)?;

Always track vote records per voter per proposal.

References