Core Contracts

Summary

In the Governance contract, there is a logical flaw in the cancel function that allows any user to cancel a valid proposal even when the proposer maintains sufficient voting power. This is due to incorrect boolean logic in the validation check.

Vulnerability Details

The vulnerability exists in the cancel function's authorization check:

The logical issue lies in the conditions being combined with an AND (&&) operator. Let's break down when this check will revert:

1. msg.sender != proposal.proposer must be true AND

2. _veToken.getVotingPower(proposal.proposer) >= proposalThreshold must be true

This means the function will only revert if BOTH conditions are true. However, the intended logic should be as the comment Only proposer or if proposer's voting power dropped below threshold:

• Allow cancellation if caller is the proposer OR

• Allow cancellation if proposer's voting power is below threshold

The current implementation allows anyone to cancel a proposal when:
When caller is NOT proposer but proposer's voting power is ABOVE threshold (which will mostly be the case) since after proposing the proposal the voting power of proposer is unaffected because it is only determined by veRAACToken lock period accounting

This is the opposite of what should happen. A non-proposer should only be able to cancel when the proposer's power drops below threshold.

PoC

1. Alice (with sufficient veRAAC) creates a proposal

2. Bob (any address) calls cancel(proposalId)

3. The transaction succeeds even though:

   • Bob is not the proposer and,

   • Alice still has sufficient voting power above threshold

Impact

This vulnerability allows malicious actors to grief the governance process by cancelling legitimate proposals at will, effectively enabling a denial of service attack on the entire governance system. This completely breaks the security assumptions of the governance process.

Tools Used

Manual code review

Recommendations

Use OR (||) instead of and (&&)