fix(governance): add underflow protection in vote override subtraction

[avorylli]

Add explicit check to prevent underflow when subtracting overriddenWeight
from delegate votes. The check ensures votes[delegateSupport] >= overriddenWeight
before subtraction and reverts with GovernorInsufficientDelegateVotes error
if the invariant is violated.

This protects against edge cases where multiple override votes could theoretically
cause the delegate vote count to become insufficient, even though the current
logic should prevent this scenario.

[changeset-bot]

⚠️ No Changeset found

Latest commit: e687038

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

The GovernorCountingOverridable contract was modified to enhance vote handling during overrides. A new error, GovernorInsufficientDelegateVotes, was added to the contract. The _countOverride function now includes a safety check that validates current delegate votes before adjustment. If current votes fall below the overridden weight, the function reverts with the new error; otherwise, votes are adjusted as before. The change preserves existing VoteReduced event emissions while preventing underflow scenarios.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: adding underflow protection in the vote override subtraction logic.
Description check	✅ Passed	The description is directly related to the changeset, explaining the explicit check added to prevent underflow and the new error condition.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

📝 Customizable high-level summaries are now available!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide custom instructions to shape the summary (bullet lists, tables, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example:

"Create a concise high-level summary as a bullet-point list. Then include a Markdown table showing lines added and removed by each contributing author."

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

contracts/governance/extensions/GovernorCountingOverridable.sol (1)

158-162: Excellent defensive programming for a critical governance contract.

The underflow protection is well-implemented and follows Solidity best practices. While the existing logic should theoretically prevent currentVotes from being less than overriddenWeight, this explicit check:

• Protects against potential bugs in vote accounting logic
• Provides a clear, actionable error message if something unexpected occurs
• Has minimal gas overhead (one SLOAD and comparison)
• Is appropriate for a security-critical governance contract

The change enhances the contract's robustness without altering its intended behavior.

Optional future consideration: A similar underflow check could be added at line 124 in _countVote where overriddenWeight is subtracted from totalWeight. While the existing logic should prevent underflow there as well, adding a check would provide consistent defensive programming throughout the contract.

// Example of potential future enhancement at line 124
if (totalWeight < proposalVote.voteReceipt[account].overriddenWeight) {
    revert GovernorInsufficientVotingPower(totalWeight, proposalVote.voteReceipt[account].overriddenWeight);
}
totalWeight -= proposalVote.voteReceipt[account].overriddenWeight;

This is not required for the current PR but could be considered in a follow-up.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6308fdc and e687038.

📒 Files selected for processing (1)

• contracts/governance/extensions/GovernorCountingOverridable.sol (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: Redirect rules - solidity-contracts
• GitHub Check: Header rules - solidity-contracts
• GitHub Check: slither
• GitHub Check: coverage
• GitHub Check: tests-foundry
• GitHub Check: tests-upgradeable
• GitHub Check: tests
• GitHub Check: halmos
• GitHub Check: Pages changed - solidity-contracts

🔇 Additional comments (1)

contracts/governance/extensions/GovernorCountingOverridable.sol (1)

48-49: LGTM! Well-designed error declaration.

The error declaration follows best practices with clear naming and informative parameters. The available and required parameters will help diagnose any issues if this error is triggered.