[Lines of code](https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/treasury/GovernorCountingOverridable.sol#L181-L189) # Vulnerability details ## Impact If a transcoder gets slashed fully he can still vote with 0 amount of weight making any other delegated user that wants to change his vote to subtract their weight amount from other delegators/transcoders. ## Proof of Concept In BondingManager.sol any transcoder can gets slashed by a specific percentage, and that specific transcoder gets resigned and that specific percentage gets deducted from his bondedAmount If any bondedAmount will remain then the penalty will also gets subtracted from the delegatedAmount, if not, nothing happens After that the penalty gets burned and the fees gets paid to the finder, if that is the case The problem relies in the fact that a fully slashed transcoder, even if it gets resigned, he is still seen as an active transcoder in the case of voting. Let's assume this case : * a transcoder gets fully slashed and gets resigned from the transcoder pools, getting his bondedAmount to 0, but he still has delegatedAmount to his address since nothing happens this variable * transcoder vote a proposal and when his weighting gets calculated here , it will use the _getVotes from GovernorVotesUpgradeable.sol * _getVotes calls getPastVotes on BondingVotes.sol which returns the amount of weight specific to this transcoder and as you can see, because the transcoder has a bondedAmount equal to 0, the first if statement will be true and 0 will be returned * 0 weight will be passed into _countVote which will then be passed into _handleVoteOverrides * then it will check if the caller is a transcoder, which will be true in our case, because nowhere in the slashTranscoder function, or any other function the transcoder delegateAddress gets changed, so this if statement will be true , which will try to deduct the weight from any previous delegators * if any delegator already overridden any amount this subtraction would revert, but if that is not the case, 0 weight will be returned, which is then used to vote for, against , abstain, but since 0 weight is passed no changed will be made. * now the big problem arise, if any delegator that delegated their votes to this specific transcoder want to change their vote, when his weight gets calculated, delegatorCumulativeStakeAt gets called which will return most of the time his bondedAmount, amount which is greater than 0, since he didn't unbound. * because of that when _handleVoteOverrides gets called in _countVote, to override the vote, this if statement will be true, since the transcoder voted already, but with 0 weight and the delegator weight gets subtracted from the support that the transcoder used in his vote * the system in this case expect the transcoder to vote with the whole delegatedAmount, which will make the subtraction viable, since the weight of the delegator should be included in the full delegatedAmount of that specific transcoder, but since the transcoder voted with 0 weight, the subtraction would be done from other delegators/transcoders votes. * also this can be abused by a transcoder by voting a category which he knows will not get a lot of votes, if let's say a transcoder used his 0 weight to vote for abstain and every other voter will vote on for or against, every time one of his delegators want to change the vote the subtraction can revert, which will force those delegators out of the vote, until they will change their transcoder ## Tools Used Manual review ## Recommended Mitigation Steps If a transcoder gets fully slashed and resigned, delete his address from delegateAddress so he will not appear as a transcoder in the mechanism of counting the votes. If he still wants to participate in the system he can act as a delegator to another transcoder. Another solution would be to not let 0 weight votes happen anyways, since they don't modify the vote state at all. ## Assessed type Governance --- The text was updated successfully, but these errors were encountered: All reactions