Several platforms within the Cardano ecosystem have recently fallen prey to a particular attack vector dubbed the “Franken-Address” vulnerability. The Franken-Address vulnerability takes advantage of the scenario where a person can spoof the staking address while signing with their payment address. For Voteaire, this means a person could potentially vote using the weight of another person. In this article, we outline the way the Voteaire team has tackled the Franken-Address issue, to ensure that the voter uses only the ADA / tokens that they control, and the voting results are weighted correctly.
Useful background
Cardano addresses are composed of two parts, a payment portion and a staking portion. Typically, the former and the latter are from the same wallet and controlled by the same person. However, it’s possible to compose an address of a payment portion under your control and a staking portion owned by somebody else.
Vulnerability
The Franken-Address vulnerability can affect a lot of platforms in the ecosystem and Voteaire is not an exception. This is because Voteaire weighs the votes using the ADA that a given stake address controls and a transaction only requires a signature from the payment portion of an address. As such, if a malicious user composes an address using someone else’s stake address who has a lot of ADA (or tokens) and votes using that address, it can rig the ballot result by getting credit for ADA or tokens which he doesn’t control.
Solution
In order to ensure security and guarantee objective voting results, we have updated the specification to require that votes need to be attached to a delegation transaction instead of a normal payment transaction. Because a delegation transaction requires control of the stake address, the voter cannot misrepresent the amount of funds they control. Voteaire will look for the pool you are currently delegated to and re-delegate to that pool, and thus voting will not change your delegation status and will have no effect on rewards. Note, that you still must be delegated to a pool before casting a vote on the Voteaire platform to make your vote count.
Follow us on our socials for more updates as we continue to develop and improve Voteaire!
