From f9f702888495d249f2a429cd484dbadd23b13d75 Mon Sep 17 00:00:00 2001
From: Henry de Valence <hdevalence@penumbralabs.xyz>
Date: Wed, 17 Jul 2024 16:44:16 -0400
Subject: [PATCH] gov: use saturating_sub as a defence-in-depth (#4716)

## Describe your changes

Uses saturating_sub as a defense in depth mechanism

## Issue ticket number and link

## Checklist before requesting a review

- [x] If this code contains consensus-breaking changes, I have added the
"consensus-breaking" label. Otherwise, I declare my belief that there
are not consensus-breaking changes, for the following reason:

  > defense in depth in a codepath that has not been executed
---
 crates/core/component/governance/src/component/view.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crates/core/component/governance/src/component/view.rs b/crates/core/component/governance/src/component/view.rs
index d76d9df811..7fc1d10380 100644
--- a/crates/core/component/governance/src/component/view.rs
+++ b/crates/core/component/governance/src/component/view.rs
@@ -532,7 +532,7 @@ pub trait StateReadExt: StateRead + penumbra_stake::StateReadExt {
                 // proposal start, minus the total voting power used by delegators to that validator
                 // who have voted. Their votes will be added back in below, re-assigning their
                 // voting power to their chosen votes.
-                let effective_power = power - delegator_tally.total();
+                let effective_power = power.saturating_sub(delegator_tally.total());
                 tally += (vote, effective_power).into();
             }
             // Add the delegator votes in, regardless of if the validator has voted.