Core Contracts

Summary

The governance contract allows any user with sufficient veRAAC tokens (above the proposal threshold) to create an unlimited number of proposals. This could result in governance spam, voting fatigue, and potential manipulation of the system by malicious actors or users with large token holdings.

Vulnerability Details

The contract allows any address with voting power above the proposalThreshold to create an unlimited number of proposals. There is no cap on how many proposals can be submitted by a user in a given time frame. This could be exploited in the following ways:

• Spam Proposals: A malicious actor could create many low-value or irrelevant proposals to overwhelm the voting process.

• Governance Fatigue: Token holders may be overwhelmed by an excessive number of proposals, leading to decreased participation and rushed, ill-considered decisions.

• Proposal Manipulation: Users with large token holdings could create proposals to promote personal or malicious agendas, potentially diluting the effectiveness of meaningful governance.

Impact

• Governance Inefficiency: A large number of proposals could result in governance overload, reducing the ability of legitimate proposals to be considered in a timely manner.

• Voting Power Concentration Risk: Users with large veRAAC holdings could abuse the system by flooding governance with proposals that distract or divide the voting community.

• Decreased Proposal Quality: A lack of limits might lead to an environment where only those with enough voting power can submit proposals, disregarding the broader community’s interests.

Tools Used

Manual code review

Recommendations

To mitigate the issue of unlimited proposal creation, the following changes are recommended:

1. Proposal Creation Limits:

   • Introduce a limit on the number of proposals a single user can submit within a defined time period (e.g., once per week or month).

2. Proposal Fee:

   • Charge a fee (in veRAAC tokens) for submitting proposals. This would discourage spam and incentivize more thoughtful proposal creation.

3. Endorsement Requirement:

   • Require a minimum number of votes or veRAAC token holders to support or endorse a proposal before it can be officially created. This ensures only proposals with genuine community interest are submitted.

4. Proposal Categorization:

   • Implement categorization or prioritization of proposals. High-impact proposals could undergo a more thorough review process, while low-priority proposals could be handled more quickly.

5. Proposal Creation Cooldown:

   • Introduce a cooldown period between proposal submissions for the same address to reduce spamming.

By implementing these controls, the system can maintain a balance between accessibility and governance efficiency, preventing abuse and ensuring the integrity of the decision-making process.