Submission Details
Severity:
A user can vote on cancelled proposal in the `Governance` contract.
Summary
"Users can cast votes on proposals that are canceled."
Vulnerability Details
In the Governance::castVote function, there is no check to prevent users from casting votes on canceled proposals.
Once the proposal is canceled by calling cancel, the canceled state is set to true, as shown below.
proposal.canceled = true;
But the Governance::castVote function does not check this state of the proposal to verify whether it is canceled or not. Hence, a user can cast a vote on canceled proposals.
Impact
A user can cast votes on canceled proposals since the Governance::castVote function lacks a check for canceled proposals.
Recommendations
function castVote(uint256 proposalId, bool support) external override returns (uint256) {
ProposalCore storage proposal = _proposals[proposalId];
if (proposal.startTime == 0) revert ProposalDoesNotExist(proposalId);
if (block.timestamp < proposal.startTime) {
revert VotingNotStarted(proposalId, proposal.startTime, block.timestamp);
}
if (block.timestamp > proposal.endTime) {
revert VotingEnded(proposalId, proposal.endTime, block.timestamp);
}
+ require(!proposal.cancelled, "proposal cancelled");
ProposalVote storage proposalVote = _proposalVotes[proposalId];
if (proposalVote.hasVoted[msg.sender]) {
revert AlreadyVoted(proposalId, msg.sender, block.timestamp);
}
uint256 weight = _veToken.getVotingPower(msg.sender);
if (weight == 0) {
revert NoVotingPower(msg.sender, block.number);
}
proposalVote.hasVoted[msg.sender] = true;
if (support) {
proposalVote.forVotes += weight;
} else {
proposalVote.againstVotes += weight;
}
emit VoteCast(msg.sender, proposalId, support, weight, "");
return weight;
}
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
Governance::castVote lacks canceled/executed proposal check, allowing users to waste gas voting on proposals that can never be executed
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
Governance::castVote lacks canceled/executed proposal check, allowing users to waste gas voting on proposals that can never be executed
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.