Core Contracts

Summary

The governance contract has a design issue that prevents it from properly handling native tokens (ETH) in governance proposals. Since the contract cannot receive ETH and does not forward ETH when calling the timelock contract, any proposal that requires ETH execution will fail.

Vulnerability Details

1. Governance Contract Does Not Handle ETH Properly:

   • The governance contract cannot receive ETH, meaning it cannot store or forward ETH for proposal execution.

   • When calling _timelock.executeBatch, it does not pass the required ETH value, causing all proposals that include ETH transfers to fail.

   https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/governance/proposals/Governance.sol#L540

2. Timelock Contract Executes Calls with ETH:

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/governance/proposals/TimelockController.sol#L192

• The timelock contract contains the following function that executes proposals:

  for (uint256 i = 0; i < targets.length; i++) {

  (bool success, bytes memory returndata) = targets[i].call{value: values[i]}(calldatas[i]);

  if (!success) {

  revert CallReverted(id, i);

  }

  }

• This function is payable and expects native token to be passed, but since the governance contract does not handle native token, proposals requiring native token execution will fail.

3. Proposal Creation Does Not Validate values:

   • When creating a proposal, the sum of values (ETH amounts) is not validated against msg.value.

   • A proposer can submit a proposal requiring ETH execution without actually providing the necessary ETH.

Impact

• Governance Breakdown: Proposals requiring native token for execution will fail indefinitely, effectively halting governance functionality for native token related actions.

• Fund Mismanagement: ETH-dependent proposals cannot be executed, reducing protocol functionality.

Tools Used

Manual Code Review

Recommendations

1. Require Exact msg.value in propose:

   • Enforce that proposers must send msg.value == sum(values) to match the proposal’s native token requirements.

   • Example Fix :

     uint256 totalValue;

     for (uint256 i = 0; i < values.length; i++) {

     totalValue += values[i];

     }

     require(msg.value == totalValue, "Incorrect ETH amount sent");

2. Ensure executeBatch Forwards ETH:

   • Modify _executeProposal to correctly forward ETH when calling _timelock.executeBatch.

   • Example Fix:

     _timelock.executeBatch{value: sum(values)}(

     proposal.targets,

     proposal.values,

     proposal.calldatas,

     bytes32(0),

     salt

     );