Submission Details
Severity:
Vote Casting Allowed on Invalid Proposal States
Summary
The castVote() function in Governance.sol lacks proper state validation, allowing users to cast votes on proposals that are canceled, executed, or in other invalid states.
Vulnerability Details
The current implementation only checks time bounds:
function castVote(uint256 proposalId, bool support) external override returns (uint256) {
ProposalCore storage proposal = _proposals[proposalId];
if (proposal.startTime == 0) revert ProposalDoesNotExist(proposalId);
if (block.timestamp < proposal.startTime) {
revert VotingNotStarted(proposalId, proposal.startTime, block.timestamp);
}
if (block.timestamp > proposal.endTime) {
revert VotingEnded(proposalId, proposal.endTime, block.timestamp);
}
Impact
Users waste gas voting on canceled proposals or invalid states
Tools Used
Manual review
Recommendations
Add state validation using the existing state() function:
function castVote(uint256 proposalId, bool support) external override returns (uint256) {
+ if (state(proposalId) != ProposalState.Active) revert InvalidProposalState();
// Rest of function
}
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
Governance::castVote lacks canceled/executed proposal check, allowing users to waste gas voting on proposals that can never be executed
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
Governance::castVote lacks canceled/executed proposal check, allowing users to waste gas voting on proposals that can never be executed
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.