Voting results can be changed after the voting period
Summary
Voting results can be changed after the voting period
Vulnerability Details
After the voting period, one proposal's voting result should be clear and fixed. After the voting period is over, we can check the over result via interface state(). If the condition currentQuorum < requiredQuorum || proposalVote.forVotes <= proposalVote.againstVotes is met, we will think this proposal as defeated.
The problem here is that requiredQuorum may change after the voting period. For example, there is one proposal, the proposal is defeated because the currentQuorum does not reach requiredQuorum. However, after a few days, the requiredQuorum decreases, this will cause that one defeated proposal to succeed and users can execute this proposal again.
Impact
Users can execute one defeated proposal because the requiredQuorum changes.
Tools Used
Manual
Recommendations
quorum() should return the different quorum according to different timestamp's voting power and settings.
Lead Judging Commences
Governance allows execution of previously-defeated proposals if quorum requirements are later lowered, enabling unexpected resurrection of old proposals
Governance allows execution of previously-defeated proposals if quorum requirements are later lowered, enabling unexpected resurrection of old proposals
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.