Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Governance Proposal Can Be Cancelled By Any User Despite Proposer Having Sufficient Voting Power

0xterrah

Relevant GitHub Links

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/governance/proposals/Governance.sol#L262-L265

Summary

The cancel() function in Governance.sol has an incorrect logic check that allows any user to cancel a proposal if the original proposer has sufficient voting power, which is the opposite of intended behavior.

Vulnerability Details

The cancel function uses incorrect logic in its permission check:

if (msg.sender != proposal.proposer &&
_veToken.getVotingPower(proposal.proposer) >= proposalThreshold) {
revert InsufficientProposerVotes(proposal.proposer,
_veToken.getVotingPower(proposal.proposer), proposalThreshold, "Proposer lost required voting power");
}

The condition allows cancellation if the sender is not the proposer AND the proposer has sufficient voting power. This is the opposite of intended behavior - anyone can cancel valid proposals.

Impact

Any user can cancel legitimate governance proposals from proposers who maintain sufficient voting power, completely breaking the governance security model.

Tools Used

Manual Review

Recommendations

  1. Fix the permission check logic:

require(
msg.sender == proposal.proposer &&
_veToken.getVotingPower(proposal.proposer) > proposalThreshold,
"Not authorized to cancel"
);
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.