Unidan could just create an account on multiple instances and vote for his posts/comments with all these accounts. That way his content would gain more attention than those of sincere users.
In case of malicious bots (like those annoying bootleg bots on reddit), it might even be profitable for them to create their own instance(s) just for that purpose.
Is there a mechanism to prevent that? (other than user/instance banning and the introduction question on user creation)
I’m 99% sure reddit does a lot of backflips to detect and prevent that. One casual bad actor can only burn up so many IP addresses or API keys in a short period, and I think there’s some undisclosed/“secret” logic to it. It’s like burglary - you can’t stop it but you can cost the burglar sufficient time or money to deter them.
I haven’t dug into Lemmy’s code yet but I am curious what countermeasures against abuse are apart of federation. Signed, time-boxed tokens and IP addresses could be part of the protocol to mitigate abuse via federation.