Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing Proposal Type Validation Leading to Potential Misuse of Governance Actions

0xbz

Summary

The propose function in the Governance contract accepts a proposalType parameter (e.g., ParameterChange, SmartContractUpgrade) but does not validate or enforce specific rules based on the type. This lack of validation allows any proposal type to execute any action, regardless of its intended purpose. As a result, governance actions might be miscategorized, this can lead to confusion or misuse (e.g., a ParameterChange proposal executing a SmartContractUpgrade), potentially misaligning with voter expectations.

Vulnerability Details

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/interfaces/core/governance/proposals/IGovernance.sol#L21

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/governance/proposals/Governance.sol#L127

The propose function does not include logic to validate whether the specified proposalType aligns with the actions being proposed.

For example, a ParameterChange proposal could execute arbitrary smart contract upgrades, which is outside the scope of its intended purpose.
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/governance/proposals/Governance.sol#L151
proposalType is stored in ProposalCore and emitted in ProposalCreated, but no logic in propose, castVote, execute, _queueProposal, or _executeProposal validates or restricts targets, values, or calldatas based on it.
Example:
- proposalType = ParameterChange with calldatas upgrading a contract → Executes without restriction.
- proposalType = TreasuryAction with calldatas changing votingDelay → Executes without restriction.
The only checks in propose are:
- Proposer voting power (proposerVotes >= proposalThreshold)
- Array length consistency (targets.length == values.length == calldatas.length)
TimelockController blindly executes whatever is queued (executeBatch), relying on Governance to enforce rules.

Impact

Malicious actors could exploit this by submitting proposals with misleading types, causing voters to unintentionally approve actions outside the scope of the proposal's intended purpose.

Tools Used

Manual Review

Recommendations

Add a mapping or configuration that defines the allowed actions for each proposalType.
Validate the targets, values, and calldatas against the allowed actions for the specified proposalType.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!