Inconsistent Voting Period End Check Allows Vote Manipulation
Summary
In Governance::state, the check for whether voting is still active uses block.timestamp < proposal.endTime, but in Governance::castVote users can vote when block.timestamp == proposal.endTime. This inconsistency creates a race condition where votes cast if the block is mined in the proposal.endTime may not be counted if the proposal state is checked in the same time.
Vulnerability Details
castVoteallows voting whenblock.timestamp == proposal.endTimestateconsiders voting ended whenblock.timestamp >= proposal.endTimeBoth functions can be called in the same block
Impact
This race condition could allow manipulation of proposal outcomes by:
Preventing legitimate last-minute votes from being counted
Enabling premature proposal execution before all valid votes are tallied
Creating uncertainty about whether votes will be counted in the final block
Recommendations
Make the end time check consistent between state and castVote:
This ensures votes cast in the final block are always counted before the proposal state can change.
Additionally, consider adding a buffer period between voting end and execution to prevent race conditions.
Lead Judging Commences
Governance::state and Governance::castVote use inconsistent time boundary checks, allowing votes at exactly proposal.endTime when state shows inactive
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.