[L-01] TYPEHASH does not follow the ERC-712 signature specification

Summary

The TYPEHASH declared in the contract does not follow the ERC-712 signature scheme. The function rankCandidates expects an array of addresses (address[]), but the TYPEHASH uses a uint256[] array instead. This inconsistency between the TYPEHASH and the actual function signature prevents proper EIP-712 signing and validation.

Vulnerability Details

Issue:

• Incorrect TYPEHASH: The TYPEHASH is computed using keccak256("rankCandidates(uint256[])"), but the function takes an array of addresses (address[]), not an array of uint256[].

• Impact on Signature Verification: This mismatch would result in incorrect signature verification under the EIP-712 scheme, as the TYPEHASH is one of the key elements for generating and verifying signatures.

Impact

This issue is classified as Low severity because it does not directly impact the execution of the contract. However, it prevents the correct usage of EIP-712 for generating and verifying signatures, which could lead to signature verification failures in systems expecting the correct schema.

Tools Used

Manual Review

Recommendations

Correct the TYPEHASH to match the expected parameter types

To fix the issue, the TYPEHASH should be updated to reflect the correct parameter type of address[] instead of uint256[]. The correct TYPEHASH would be:

This change will ensure that the EIP-712 signature generation and verification will work as expected for the rankCandidates function.

This adjustment aligns the TYPEHASH with the actual data structure and allows for proper signature verification under the ERC-712 standard.