๐Ÿ“ฉProposal Execution Failure Due to Guardian Set Change

Overview of the Vulnerability

In decentralized governance systems, such as those integrated with Wormhole, executing proposals across multiple chains relies on the validation of signatures from guardian sets. These guardian sets are responsible for verifying the authenticity of cross-chain messages (VAAs) and ensuring the correct functioning of the protocol. However, a vulnerability arises when a guardian set is updated between the time a proposal is queued and when it is executed, leading to failed executions due to outdated signature validation.

This vulnerability occurs when the Wormhole guardian set changes during the proposal delay, meaning the signature used to validate the proposal becomes outdated and fails the second verification required for execution. As a result, the proposal cannot be executed, and the process must be repeated, leading to significant delays and disruption in governance processes.

In this tutorial, we will explore this type of vulnerability, how it occurs, and the steps that can be taken to mitigate the risk of failed governance proposal executions due to changes in Wormholeโ€™s guardian set.


How the Vulnerability Occurs

  1. Proposal Queuing: In a governance system that utilizes Wormhole, a proposal must first be queued. During the queuing process, the message (VAA) is validated by checking its signature against the guardian set responsible for verifying the message. If the message is verified as valid, it is queued for execution after a predefined delay (proposalDelay).

  2. Guardian Set Change During Delay: After the proposal is queued, but before it is executed, the Wormhole governance system may update the guardian set. The new guardian set replaces the old one, and the signatures from the previous guardian set are no longer valid. This can happen when the governance contract executes a function to expire the old guardian set and deploy a new one.

  3. Failed Proposal Execution: When the proposalDelay passes and the protocol attempts to execute the proposal, the system performs a second verification against the Wormhole bridge contract. However, because the guardian set has changed, the previously valid signature is no longer recognized, causing the proposal execution to fail.

  4. Delayed Governance: Due to the failed signature verification, the proposal remains unexecuted, and the governance process is delayed. The team must either resend the proposal or attempt to modify the guardian set validation to account for the change, both of which involve additional delays.

Conclusion

The vulnerability in Wormhole integrations involving failed proposal executions due to guardian set changes presents a critical challenge for decentralized governance systems. When the guardian set is updated between the time a proposal is queued and executed, the original signatures used for validation can become invalid, causing the proposal to fail.

To mitigate this issue, protocols should implement more flexible validation mechanisms, such as storing the complete VAA for future validation, validating against the guardian set active at queuing, and introducing fast-tracked execution for critical proposals. These strategies help ensure that proposals are executed smoothly, even in the face of changing governance conditions within Wormhole.

Last updated