# #45310 \[SC-Insight] \`IWNat(address(token)).governanceVotePower().undelegate()\` is redundant after \`undelegateGovernance()\` **Submitted on May 12th 2025 at 13:21:52 UTC by @magtentic for** [**Audit Comp | Flare | FAssets**](https://immunefi.com/audit-competition/audit-comp-flare-fassets) * **Report ID:** #45310 * **Report Type:** Smart Contract * **Report severity:** Insight * **Target:** * **Impacts:** ## Description ## Brief/Intro The `destroy()` function unnecessarily calls `IWNat(address(token)).governanceVotePower().undelegate()` even when the delegation has already been removed via a prior call to `undelegateGovernance()`. This leads to redundant operations and suboptimal gas usage. ## Vulnerability Details The flag TOKEN\_DELEGATE\_GOVERNANCE is set to `tokenUseFlags[token]` via `_tokenUsed()` during a call to `delegateGovernance()`, but it is not cleared when `undelegateGovernance()` is invoked. This causes destroy() to interpret the token as still being actively delegated, resulting in a second, redundant call to undelegate(). ### Example: #### Flag is set: ``` function delegateGovernance(IVPToken _token, address _to) external override onlyOwner { _token.governanceVotePower().delegate(_to); _tokenUsed(_token, TOKEN_DELEGATE_GOVERNANCE); } ``` #### Flag is not cleared: ``` function undelegateGovernance(IVPToken _token) external override onlyOwner { _token.governanceVotePower().undelegate(); } ``` #### Redundant check in `destroy()`: ``` if ((useFlags & TOKEN_DELEGATE_GOVERNANCE) != 0) { IWNat(address(token)).governanceVotePower().undelegate(); } ``` ## Impact Details * Redundant logic: `undelegate()` is called twice for the same token, increasing unnecessary gas costs. * Potential confusion: It creates a mismatch between internal state (tokenUseFlags) and actual delegation state. * Maintainability issue: Future contributors may misinterpret this logic or fail to reason correctly about token state. ## References Add any relevant links to documentation or code ## Proof of Concept ## Proof of Concept Refer to Vulnerability Details for guidance on why the code is redundant. Runnable PoCs are not required for Smart Contract & Blockchain/DLT bug reports --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45310-sc-insight-iwnat-address-token-.governancevotepower-.undelegate-is-redundant-after-undelegateg.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.