Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Improper handling of queued proposals allows execution after cancellation

s0x0mtee

Summary

The cancellation of a queued proposal through the Governance::cancel function does not prevent its execution if the proposal has already been scheduled in the timelock. This creates a critical issue where a proposer goes below voting power threshold and his proposal gets canceled, or a proposer himself cancels a queued proposal yet the proposal may still be executed if the timelock conditions are met. Thereby, undermining the integrity of the governance process and potentially allowing for governance manipulation.

Vulnerability Details

A user calls Governance::propose to create a proposal.
The proposal is successfully created and reaches the queued state after passing the voting period.
The proposer goes below threshold power can the Governance::cancel function is called asper this comment on the code:

* - Automatic cancellation if proposer loses required voting power

The Governance::cancel function checks if the proposal is in the Executed state before allowing cancellation. However, it does not account for the Queued state, and since all it does is update the cancelled property to true ie proposal.canceled = true; it does not stop a proposal that has been added to TimlockController::scheduleBatch ie Queued from executing. Thus one of two things happen depending on design preference

Cancelled Proposals (possibly malicious) ends up executing.
Executed proposals possibly being labelled as cancelled, which reduced the governance integrity.

function cancel(uint256 proposalId) external override {

ProposalCore storage proposal = _proposals[proposalId];

if (proposal.startTime == 0) revert ProposalDoesNotExist(proposalId);

ProposalState currentState = state(proposalId);

if (currentState == ProposalState.Executed) {

revert InvalidProposalState(proposalId, currentState, ProposalState.Active, "Cannot cancel executed proposal");

}

// The check for Queued state is missing here

}

Impact

This vulnerability allows a proposer to cancel proposals that have already been approved and queued for execution, undermining the governance process and potentially allowing for malicious actions against the interests of the token holders.

Tools used

Manual code review
Static analysis tools

Recommendation

Add State Check: Modify the cancel function to include a check for the Queued state.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Governance::cancel and state lack synchronization with TimelockController

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Governance::cancel and state lack synchronization with TimelockController

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!