Skip to content

[CODE QUALITY] vote Function Allows Zero-Amount Votes #18143

New issue
New issue
Closed as not planned
Closed as not planned
[CODE QUALITY] vote Function Allows Zero-Amount Votes#18143
@evmparser

Description

@evmparser
evmparser
opened on Nov 3, 2025

Summary

The vote function in Governance.sol does not validate that the voting amount is greater than zero, allowing users to cast votes with zero voting power.

Severity

LOW - Minor code quality issue, potential for event spam

Location

  • File: l1-contracts/src/governance/Governance.sol
  • Function: vote

Description

The function lacks amount validation:

function vote(uint256 _proposalId, uint256 _amount, bool _support) external override(IGovernance) {
    // Missing: require(_amount > 0, "Cannot vote with zero amount");
    ProposalState state = getProposalState(_proposalId);
    require(state == ProposalState.Active, Errors.Governance__ProposalNotActive());
    // ...
}

Current Behavior

  • Users can call vote() with _amount = 0
  • Function executes successfully
  • VoteCast event is emitted with zero amount
  • No effect on proposal outcome
  • Costs gas for the caller

Impact

Minor Issues:

  1. Event Log Spam: Meaningless VoteCast events clutter the blockchain
  2. Indexer Noise: Off-chain indexers must process useless events
  3. Analytics Confusion: Vote counting systems must filter zero-amount votes
  4. Gas Waste: Users might accidentally vote with zero amount

Not a Security Risk:

  • Zero-amount votes don't affect proposal outcomes
  • Costs gas for the spammer, not the protocol
  • Cannot be used for griefing attacks effectively

Recommendation

Add a simple validation at the start of the function:

function vote(uint256 _proposalId, uint256 _amount, bool _support) external override(IGovernance) {
    require(_amount > 0, "Cannot vote with zero amount");
    ProposalState state = getProposalState(_proposalId);
    require(state == ProposalState.Active, Errors.Governance__ProposalNotActive());
    // ... rest of function
}

Benefits of Fix

  • Cleaner event logs
  • Better user experience (fail fast on mistakes)
  • Reduced noise for indexers and analytics
  • Consistent with best practices
  • Minimal gas cost for the check

Additional Context

This is a common validation pattern in governance contracts. Most voting systems (Compound, OpenZeppelin Governor, etc.) include this check to prevent meaningless transactions.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions