President Elector

Summary

The ranking algorithm is actually not implemented as stated, instead, the algorithm counts the number of occurrences of a candidate in the orderedCandidates list and based on this calculation, a newCandidatesList is formed. This algorithm does not implement a rating voting system. Thus, a voter can provide an array of orderedCandidates consisting of 10 identical addresses, so that the specified candidate can receive up to 10 votes.

Vulnerability Details

This happens in the _selectPresidentRecursive function in a nested loop

For example, s_voteNumber = 0, RoundNumber = 0 and a voter can provide such orderedCandidates (up to 10 elements):

1.CandidateA
2.CandidateA
3.CandidateA
...
10.CandidateA

According to the loop, s_candidateVotesByRound[candidateA][0][0] = 10. This behavior is not typical for rating voting, the calculations of the winner should be calculated based on the preferences of voters. Such behavior can lead to the fact that an unscrupulous voter can submit an array of orderedCandidates consisting of identical addresses of candidates, which can distort the election results.

Rating voting assumes that the candidates on the voter lists will not be repeated, and the candidates themselves will be arranged in the order of preference by the voter. The following array will correctly convey the preferences of the voter:

1.CandidateA
2.CandidateB
3.CandidateC
...
10.CandidateJ

Tools Used

Manual code review.

Recommendations

Do not allow sending orderedCandidates that contain duplicates, it is also correct to implement a rating voting algorithm that will be based on the rating preference of voters, and not on counting votes.