President Elector

First Flight #24

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Immediately calling`selectPresident`can bypass the time limit

lilizhu

Summary

the s_previousVoteEndTimeStamp isn’t be set to 0 when deploy the contract, which cause the bypass of the limitation of the i_presidentalDuration

Vulnerability Details

in the providedRankedChoicecontract lies in theselectPresidentfunction. Specifically, the vulnerability exists in the time check logic for voting. TheNotTimeToVoteerror is triggered if the following condition is met:

if (block.timestamp - s_previousVoteEndTimeStamp <= i_presidentalDuration) {

revert RankedChoice__NotTimeToVote();

}

Since the initial value ofs_previousVoteEndTimeStampis 0 and i_presidentalDuration is 125184000(1260 days), the block.timestamp is greater than 1726617600 (1726617600 is time of the 2024/09/18), so during the first voting attempt,block.timestamp - s_previousVoteEndTimeStampwill likely be greater thani_presidentalDuration，so this can
bypass the limitation of the time.
POC(add this to the RankedChoiceTest.t.sol ):

function testSlectNumberPlus() public {

uint256 currentTimestamp = 1695671400; // Replace with the actual current Unix timestamp

vm.warp(currentTimestamp);

orderedCandidates = [candidates[1], candidates[1], candidates[2]];

vm.startPrank(voters[0]);

rankedChoice.rankCandidates(orderedCandidates);

rankedChoice.selectPresident();

vm.stopPrank();

assertEq(rankedChoice.getCurrentPresident(), candidates[1]);

}

Impact

the attack can call rankCandidates and selectPresident to choice the first Prensent immediately.

Tools Used

foundry, vscode

Recommendations

modify the construct code to this:

constructor(address[] memory voters) EIP712("RankedChoice", "1") {

VOTERS = voters;

i_presidentalDuration = 1460 days;

s_currentPresident = msg.sender;

s_voteNumber = 0;

++ s_previousVoteEndTimeStamp = block.timestamp;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

`s_previousVoteEndTimeStamp` variable not being initialized correctly

Rewards breakdown

nSLOC

140

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.