Lack of Eligibility Validation for Candidates
Summary
The RankedChoice smart contract lacks mechanisms to verify the validity or eligibility of candidates being ranked or voted for. This omission allows any address to be added as a candidate, regardless of whether they meet predefined criteria or are even participating in the election. This could lead to invalid or ineligible candidates being ranked, undermining the election's fairness and accuracy.
Vulnerability Details
The contract does not include a verification process to ensure that the candidates being ranked by voters are eligible to participate in the election. This allows any address to be ranked as a candidate, even if that address does not correspond to a valid or pre-approved candidate.
The code checks whether the candidate is already in the list but does not validate whether the candidate is eligible to be included in the first place.
Impact
During the ranking and voting process, voters submit an ordered list of candidates, but the contract does not check whether the submitted addresses are part of a valid list of candidates. This opens up the following risks:
Voters could rank addresses that are not officially nominated or approved as candidates.
Malicious actors or erroneous inputs could lead to random or invalid addresses being ranked as candidates, leading to meaningless results.
An address that is not part of the election could be mistakenly or intentionally added to the ranking list, receiving votes despite being ineligible.
Tools Used
Manual Review
Recommendations
Implement a mechanism that verifies whether each candidate being ranked is part of a predefined list of eligible candidates. Only addresses that have been approved as candidates should be allowed to be ranked.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.