[M-1] Potential Replay attacks on `rankCandidatesBySig`
[M-1] Potential Replay attacks on rankCandidatesBySig
Description: Potential Replay attacks on rankCandidatesBySig :
In the function rankCandidatesBySig we don't include any nonce and chainId to prevent the transaction to be re-executed.
If this contract were deployed on multiple blockchains, someone could replay a signature from one chain on another. Since signatures don’t contain any chain-specific information, this would allow the same vote to be counted multiple times across chains. This could be problematic in multi-chain systems.
If a voter sign a message and someone else sent the transaction for him. Then even he change himself the vote by calling rankCandidate() then a malicious person can change that by calling again rankCandidatesBySig and the change will rollback. So the voter can't change his vote.
Impact: This issue make the voter not able to change his vote once it's voted by calling rankCandidatesBySig. Futhermore if the smart contract is running on multiple blockchain. Then someone can vote for him in another blockchain.
Recommended Mitigation:
Please add chainId and a nonce in the signature to prevent that.
Lead Judging Commences
Replay Attack - The same signature can be used over and over
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.