Core Contracts

veRAACToken.sol

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/veRAACToken.sol#L393

Overview

The contract defines:

nowhere in the code snippet do we see a function to set proposalPowerSnapshots[proposalId] for valid proposals. If no external entity updates it, or if it’s assumed to be done by an external contract that also lacks logic, snapshotBlock remains 0 for all proposals, causing:

1. Revert with InvalidProposal() for every query, or

2. Permanent 0 block references, making the governance snapshot logic inoperable.

Attack / Demonstration

1. Owner or Governance Attempting to Use Snapshots

   • A legitimate proposal is introduced, but no function sets proposalPowerSnapshots[id] = someBlockNumber.

2. Call getVotingPowerForProposal(...)

   • The function fetches proposalPowerSnapshots[proposalId] → 0.

   • The code sees if (snapshotBlock == 0) revert InvalidProposal(); → reverts.

Result: All queries revert or produce invalid data, effectively breaking the governance snapshot concept.

Impact

• Broken Governance Snapshot: The system cannot record or retrieve block snapshots per proposal, preventing stable “historical voting power” checks.

• Impossible to Validate Past Votes: The contract’s design to check historical power at the snapshot block is moot if that block is never set.

• Inconsistent Protocol Flow: Off-chain or external processes might assume the contract sets the snapshot automatically, but discover no function does so. This can cause confusion or wasted calls.

Recommended Fix

Add a function to set or update each proposal’s snapshot block, for instance:

• Access Control: Restrict to a legitimate governance contract or the owner.

• Validation: Ensure snapshotBlock is nonzero and that the proposalId is recognized/valid if needed.