[bug] governance-core: grant_role allows expires_at set in the past — immediately-expired role grants are stored without error

[gboigwe]

Summary

grant_role accepts any expires_at: Option<u64> value. Passing expires_at = Some(1) (or any timestamp before env.ledger().timestamp()) creates a RoleGrant that is immediately invalid. has_role will detect and remove it on the first call, but until then RoleCount is inflated, the storage rent is wasted, and any caller that reads the grant directly (via get_role_grant) would see a role that is no longer valid but not yet cleaned up.

Location

contracts/governance-core/src/lib.rs, grant_role

pub fn grant_role(env: Env, admin: Address, account: Address, role: Role, expires_at: Option<u64>) {
    // ❌ No validation: if let Some(exp) = expires_at { if exp <= now { panic!(...) } }

Fix

if let Some(exp) = expires_at {
    if exp <= env.ledger().timestamp() {
        panic!("expires_at must be in the future");
    }
}

[blurbeast]

@blurbeast has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

hello my Chief, can i jump on this please ??

ℹ️ Repo Maintainers: To accept this application, review their application or assign @blurbeast to this issue.

[Nuel-ship-it]

@Nuel-ship-it has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Can I work on this please 🥺

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Nuel-ship-it to this issue.

[drips-wave]

Congratulations, @blurbeast! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @blurbeast: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[drips-wave]

This issue has been completed by @blurbeast as part of the Stellar Wave Program's 5th Wave 🥳

😎 @blurbeast: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here. You can also Leave a review to share your experience working on this issue.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.