CVE-2022-31198

Name of the Vulnerable Software and Affected Versions OpenZeppelin Contracts versions prior to 4.7.2

Description This issue concerns instances of Governor that use the module GovernorVotesQuorumFraction, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is passed to lower the quorum requirements, past proposals may become executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement. Analysis of instances on chain found only one proposal that met this condition, and the issue is being actively monitored for new occurrences.

Recommendations For versions prior to 4.7.2, upgrade to v4.7.2 to resolve the issue. As a temporary workaround for users unable to upgrade, consider avoiding lowering quorum requirements if a past proposal was defeated for lack of quorum.