Submission Details
Severity:
Canceled proposals are stored in the `TimelockController` as valid proposals
Summary
In Governance.sol, when a proposal is canceled via the cancel() function, it only sets proposal.canceled = true but does not call _timelock.cancel() to remove the operation from the TimelockController's storage. This leaves the canceled proposal's operation data permanently stored in the timelock contract.
function cancel(uint256 proposalId) external override {
// ... validation checks ...
proposal.canceled = true;
// Missing: _timelock.cancel(id);
emit ProposalCanceled(proposalId, msg.sender, "Proposal canceled by proposer");
}
Impact
Canceled proposals are stored in the TimelockController as valid proposals.
Tools Used
Manual Review
Recommendations
Add the timelock cancellation call in the Governance's cancel() function:
function cancel(uint256 proposalId) external override {
...
+ bytes32 id = _timelock.hashOperationBatch(
+ proposal.targets,
+ proposal.values,
+ proposal.calldatas,
+ bytes32(0),
+ proposal.descriptionHash
+ );
+ _timelock.cancel(id);
proposal.canceled = true;
...
}
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
Governance::cancel and state lack synchronization with TimelockController
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
Governance::cancel and state lack synchronization with TimelockController
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.