President Elector

Summary

There are potential issues with gas costs in the function_selectPresidentRecursive for large arrays of voters, particularly when looping over them.

Vulnerability Details

Although not specified by the protocol, usually participants in the voting process for presidents are millions. If the VOTERS array contains a significant number of entries (e.g., thousands or more), each loop iteration (particularly the nested loops in _selectPresidentRecursive) will increase gas usage. Ethereum has gas limits per block, and too many iterations could lead to the transaction running out of gas. The outer loop runs over all voters, and within that loop, another loop checks the rankings for each voter. This means the gas cost grows quickly as the number of voters increases, which can cause the transaction to fail if it exceeds block gas limits.

Impact

Gas cost for selecting a president could grow exponentially when handling big arrays of voters, who had passed big arrays of candidates (although limited to 10). This could lead to DoS and lack of possibility for choosing a president.

Tools Used

Manual review

Recommendations

Split the voter array into batches and process them in separate transactions. For example, process a subset of voters in one transaction, then resume from where it left off in the next transaction.

Another way for mitigation is some of the heavy computation, such as tallying votes, to be done off-chain, and only the final results or proof of vote tallying can be submitted on-chain.