Core Contracts

Summary

A proposal that is canceled in the TimelockController can still retain its Succeeded status, which allows the proposer to bypass the entire voting process when re-queuing the proposal. This creates a significant vulnerability, as it enables a proposer to effectively circumvent the governance checks and balances that are intended to ensure community consensus. By canceling a proposal that has already succeeded, the proposer can re-queue it without needing to go through the necessary voting period again, potentially leading to actions being taken that do not reflect the current sentiment of the token holders or protocol administrators

Vulnerability Details

1. The TimelockController::cancel function allows a proposal to be canceled by CANCELLER_ROLE while still maintaining its Succeeded status in Governance.sol

2. This status means that the proposal can be re-queued without requiring a new vote, effectively bypassing the governance process. This can be done by anyone by calling execute with the proposalId

1. This can lead to a situation where a proposal that may no longer have community or admin support can be reintroduced and executed without proper oversight.

Impact

This vulnerability allows a proposer to circumvent the voting process for proposals that have been canceled but still retain their Succeeded status. This undermines the governance framework and can lead to actions being taken that do not reflect the current consensus of the token holders.

Tools used

• Manual code review

Recommendation

Update Cancellation Logic: Modify the cancel function to also update the status of the proposal in Governance.sol to prevent it from being marked as Succeeded after cancellation.