The rankCandidatesBySig()
function lacks a check to ensure that the orderedCandidates
array does not exceed the maximum allowed number of candidates (MAX_CANDIDATES
). A voter could bypass the limit of candidates by submitting a signed message, allowing them to rank more candidates than allowed.
Bypassing the MAX_CANDIDATES
limit can give a voter disproportionate influence in the election by allowing them to rank more candidates than permitted. This undermines the fairness of the voting process.
Proof of Concept:
The rankCandidates()
function has a check for the maximum number of candidates, but the rankCandidatesBySig()
function does not. A voter can submit a signed message ranking more than MAX_CANDIDATES
candidates.
Manual Review
Add the same length check from rankCandidates()
to rankCandidatesBySig()
to ensure that voters cannot rank more candidates than allowed:
'''
if (orderedCandidates.length > MAX_CANDIDATES) {
revert RankedChoice__InvalidInput();
}
'''
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.