Cancelled proposals can still be voted on.
Summary
The contract’s castVote function does not check whether a proposal has been canceled, allowing users to continue voting on a proposal that should no longer be active.
Vulnerability Details
In Governance::cancel a proposal gets cancelled and proposal.canceled = true. But in Governance::castVote which allows a user to cast vote on a specified proposal, there is no check to ensure that the proposal has not been canceled. Instead it only checks that the proposal startTimeis not zero(which indicates a non-existent proposal) and is being called before the endTime. These parameters were not reset during cancelation of proposal. And the proposal.canceledis not explicitly checked and enforced.
Impact
Canceled proposals will potentially receive votes which is needless.
Tools Used
Manual Review
Recommendations
Either reset the startTime of a proposal during cancelation to 0. so the check in castVotescan catch this. OR, add a check in castVotes that reverts if (proposal.canceled).
Lead Judging Commences
Governance::castVote lacks canceled/executed proposal check, allowing users to waste gas voting on proposals that can never be executed
Governance::castVote lacks canceled/executed proposal check, allowing users to waste gas voting on proposals that can never be executed
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.