[audit] 3. Users can inflate their voting power by registering duplicate NFT token IDs

[NoahSaso]

From Oak:

In contracts/voting/dao-voting-onft-staked/src/contract.rs:149, the execute_confirm_stake function does not validate that the supplied NFT token IDs are not duplicates. This is problematic because the register_staked_nfts function in contracts/voting/dao-voting-onft-staked/src/state.rs:65-77 increases the user’s voting power based on the total number of token IDs supplied, which may include duplicates.

An attacker can exploit this issue by calling the execute_confirm_stake function with duplicates of a token ID, granting them a high amount of voting power without requiring them to stake the necessary NFTs. These voting powers can be weaponized to manipulate the DAO into dispatching malicious messages, such as transferring funds to the attacker.

This fix deduplicates token IDs on confirm to prevent double-counting.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 96.65%. Comparing base (75272b9) to head (d4d085e).

Additional details and impacted files

@@             Coverage Diff              @@
##           development     #864   +/-   ##
============================================
  Coverage        96.64%   96.65%           
============================================
  Files              240      240           
  Lines            65294    65312   +18     
============================================
+ Hits             63106    63125   +19     
+ Misses            2188     2187    -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[bekauz]

@NoahSaso maybe we can switch this to a set eventually?