Core Contracts

Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Submission Details
Severity: medium
Valid

Governance incorrectly accounts for total voting power

Summary

In the RAAC protocol, users can lock their RAAC tokens in in exchange for veRAAC token, which serves as a voting token in the governance part. However, when a proposal is to be executed, it incorrectly calculates for the quorum, and affecting the outcome of a proposal.

Vulnerability Details

When proposal is to be executed, Governance::state is called to determine the state of the proposal, if the proposal has its voting period ended and enough for votes, quorum will be calculated and compared with threshold value:

ProposalVote storage proposalVote = _proposalVotes[proposalId];
uint256 currentQuorum = proposalVote.forVotes + proposalVote.againstVotes;
uint256 requiredQuorum = quorum();
// Check if quorum is met and votes are in favor
if (currentQuorum < requiredQuorum || proposalVote.forVotes <= proposalVote.againstVotes) {
return ProposalState.Defeated;
}

And we will see the quorum function:

function quorum() public view override returns (uint256) {
return (_veToken.getTotalVotingPower() * quorumNumerator) / QUORUM_DENOMINATOR;
}

Also veRAACToken::getTotalVotingPower:

function getTotalVotingPower() external view override returns (uint256) {
return totalSupply();
}

So it's fetching the total supply of the current timestamp, but not the snapshot of when proposal has ended.

For example, if the total votes collected is 400, and total supply at proposal voting end time is 9000, this proposal should be considered passed. But when execute is called, the total supply has reached 11000, it would make proposal insufficient to pass, despite already passed quorum when proposal voting has concluded.

Impact

Some proposal may not be executed successfully

Tools Used

Manual review

Recommendations

Use total supply of time/block number at proposal end time.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Governance::quorum uses current total voting power instead of proposal creation snapshot, allowing manipulation of threshold requirements to force proposals to pass or fail

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Governance::quorum uses current total voting power instead of proposal creation snapshot, allowing manipulation of threshold requirements to force proposals to pass or fail

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.