Passed proposals can be canceled by anyone if proposer's voting power drops below threshold
Summary
The Governance::cancel() function allows anyone to cancel a passed proposal if the proposer's voting power drops below the proposal threshold, which can happen naturally due to vote decay.
Vulnerability Details
The cancel() function in Governance.sol allows cancellation of proposals in any state except Executed, contradicting the NatSpec which states it should only cancel active proposals. Moreover, if we look at the parameters of the error, the state of the proposal for which the cancelation should be allowed is Active.
The error's definition:
The key problematic code:
Proof of Concept
Alice creates a proposal with sufficient voting power (>= proposalThreshold)
The proposal passes voting and enters Succeeded state
Due to vote decay, Alice's voting power naturally drops below proposalThreshold
Bob (or any user) can now call
cancel()on the successful proposalThe proposal is canceled despite having passed voting
Impact
Successful proposals can be maliciously canceled before execution
Undermines the governance process since passed proposals are not guaranteed to execute
Could be exploited to prevent unfavorable but legitimate proposals from executing
Recommendations
Only allow cancellation during active voting:
Lead Judging Commences
Governance::cancel allows canceling proposals in Succeeded and Queued states, enabling single actors to override community decisions
Governance::cancel allows canceling proposals in Succeeded and Queued states, enabling single actors to override community decisions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.