Core Contracts

Summary

The governance contract reverts with a ProposalAlreadyExecuted error when a proposal is attempted to be executed after it has already been processed. However, the error message reports the current block timestamp instead of the actual execution time of the proposal. This discrepancy can lead to confusion when troubleshooting governance actions.

Vulnerability Details

In the execute() function, the contract checks if a proposal has already been executed using the following code:

The ProposalAlreadyExecuted error is defined to include two parameters: the proposalId and the executionTime. In this implementation, the error is supplied with block.timestamp—the time when the revert is triggered—rather than the time when the proposal was actually executed. Since the contract does not store the execution time of the proposal, the error message does not accurately reflect the proposal’s execution time.

Impact

The inaccurate reporting of execution time can hinder debugging and monitoring of governance activities. Users and administrators relying on the error data to determine when a proposal was executed might receive misleading information. This could lead to confusion during audits, dispute resolution, or when analyzing the historical performance of the governance process.

Tools Used

• Manual Review

Recommended Mitigation

1. Store Execution Time:
   Update the proposal data structure (e.g., the ProposalCore struct) to include an executedTime field. This field should be set to block.timestamp at the moment the proposal is executed.

2. Modify Execution Function:
   In the _executeProposal() function, after executing the proposal, update the proposal’s state as follows:

   proposal.executed = true;

   proposal.executedTime = block.timestamp;

   emit ProposalExecuted(proposalId, msg.sender, block.timestamp);

3. Return Correct Execution Time in Revert:
   In the execute() function, modify the revert check to use the stored execution time:

   if (proposal.executed) revert ProposalAlreadyExecuted(proposalId, proposal.executedTime);

This change ensures that the error message accurately communicates the exact time when the proposal was executed, improving transparency and aiding in troubleshooting governance issues.