Core Contracts

Summary

In the Governance::quorum function calculates the quorum based on the current total voting power at the time of state checking, rather than using a fixed snapshot from the time of proposal creation. This dynamic calculation allows the required quorum to fluctuate due to token minting or burning, enabling potential manipulation of governance outcomes.

Vulnerability Details

The quorum() function computes the required quorum as follows:

This calculation uses _veToken.getTotalVotingPower(), which typically reflects the current total supply. For example, if the total voting power is initially 1000e18 and quorumNumerator is 4, then the required quorum is 40e18 tokens (4% of 1000e18). However, since the total voting power may change after a proposal is created—due to actions like minting or burning tokens—the quorum requirement can be dynamically altered. An attacker could burn tokens to lower the total voting power, thereby reducing the quorum threshold, and cause a proposal to pass with insufficient support. Conversely, token minting could unfairly raise the quorum, potentially blocking proposals that would have otherwise passed.

Impact

Proposals may be approved or rejected based on manipulated total voting power rather than the genuine support at the time of proposal creation.

Tools Used

Manual Review

Recommendation

Implement strict validation checks on governance proposals before execution to prevent unauthorized actions. Require multisig approvals or time-lock mechanisms for critical changes to enhance security.