Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Quorum Calculation Bypass in Governance Proposal Verification

foxb868

Summary

The Governance contract vulnerability in its quorum calculation mechanism. The issue lies in the interaction between vote counting and proposal state transitions, allowing proposals to pass without meeting the required quorum thresholds. The quorum verification lacks proper validation of total voting power against minimum thresholds. Governance.sol#_isProposalSuccessful

function _isProposalSuccessful(uint256 proposalId) internal view returns (bool) {

ProposalVote storage proposalVote = _proposalVotes[proposalId];

// Vulnerable to manipulation during low voting power periods

uint256 currentQuorum = proposalVote.forVotes + proposalVote.againstVotes;

// Uses instantaneous quorum calculation instead of time-weighted average

uint256 requiredQuorum = quorum();

// Missing minimum absolute quorum threshold check

return currentQuorum >= requiredQuorum &&

proposalVote.forVotes > proposalVote.againstVotes;

}

The function calculates proposal success based on current voting power snapshots, making it vulnerable to timing attacks. The issue lies in using instantaneous quorum requirements rather than time-weighted averages, which could be exploited during periods of low voting power participation.

Vulnerability Details

The RAAC Protocol's governance system faces a critical weakness in how it handles proposal voting power. Imagine a bank vault that requires 10 security guards to open, but sometimes counts each guard twice, that's effectively what's happening here with the voting power calculation.

In the Governance.sol contract, the quorum calculation interacts with three key components:

The veRAACToken voting power
The time-weighted average tracking
The proposal state transitions

Here's how an attacker could exploit this:

An opportunistic actor monitors the protocol's veRAACToken total voting power. When it dips below normal levels (perhaps during a major market event), they submit a proposal. The Governance contract's quorum calculation uses the current voting power snapshot rather than a time-weighted average, allowing the proposal to pass with artificially low participation.

Looking at the code:

function _isProposalSuccessful(uint256 proposalId) internal view returns (bool) {

uint256 currentQuorum = proposalVote.forVotes + proposalVote.againstVotes;

// The vulnerability lies in using instantaneous rather than time-weighted voting power

return currentQuorum >= requiredQuorum &&

proposalVote.forVotes > proposalVote.againstVotes;

The impact extends beyond simple governance, this could affect:

Protocol parameter updates through GaugeController
Fee distribution configurations in FeeCollector
Treasury fund allocations

Impact

Passing proposals with artificially low quorum requirements
Undermining governance security during low participation periods
Potential manipulation of protocol parameters

Recommendations

Implement time-weighted average voting power calculations and minimum quorum thresholds:

function quorum() public view returns (uint256) {

// Leverages existing TimeWeightedAverage library used in gauge system

uint256 avgVotingPower = getTimeWeightedVotingPower();

// Establishes hard minimum quorum floor aligned with protocol parameters

uint256 minQuorum = MIN_QUORUM_THRESHOLD;

// Uses max function to ensure quorum never falls below safety threshold

return Math.max(

(avgVotingPower * quorumNumerator) / QUORUM_DENOMINATOR,

minQuorum

);

}

We uses the TimeWeightedAverage library already present in the protocol
Follows the same pattern as GaugeController's weight calculations

Additional constants to define:

// Add to existing governance parameters

uint256 public constant MIN_QUORUM_THRESHOLD = 100_000e18; // 100k minimum voting power

Updates

Lead Judging Commences

inallhonesty Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Governance::quorum uses current total voting power instead of proposal creation snapshot, allowing manipulation of threshold requirements to force proposals to pass or fail

inallhonesty Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Governance::quorum uses current total voting power instead of proposal creation snapshot, allowing manipulation of threshold requirements to force proposals to pass or fail

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.