Missing Delegate Validation#

Informational

In Governor.sol castVoteInternal validates that the voter must have a communityId

require(
    voterCommunityId != 0,
    "Governor::castVoteInternal: voter invalid"
);

But in ERC721WrapperVotes.sol the end user is able to delegate votes to any address, even if they do not have a communityId:

function _delegate(address account, address delegatee) internal virtual {
    address oldDelegate = delegates(account);
    _delegation[account] = delegatee;

    emit DelegateChanged(account, oldDelegate, delegatee);
    _moveDelegateVotes(
        oldDelegate,
        delegatee,
        uint16(userInfos[account].balance)
    );
}

Recommendation#

When a user delegates their votes, validate that the delegatee is a valid community member.

  require(getCommunityId(delegatee) != 0, "Delegatee cannot vote");

Note, this validation also would also alleviate issues around zero address delegation.