⁷Missing Input Validation in rankCandidatesBySig()
Summary
The rankCandidatesBySig() function lacks a check to ensure that the orderedCandidates array does not exceed the maximum allowed number of candidates (MAX_CANDIDATES). A voter could bypass the limit of candidates by submitting a signed message, allowing them to rank more candidates than allowed.
Vulnerability Details
Impact
Bypassing the MAX_CANDIDATES limit can give a voter disproportionate influence in the election by allowing them to rank more candidates than permitted. This undermines the fairness of the voting process.
Proof of Concept:
The rankCandidates() function has a check for the maximum number of candidates, but the rankCandidatesBySig() function does not. A voter can submit a signed message ranking more than MAX_CANDIDATES candidates.
Tools Used
Manual Review
Recommendations
Add the same length check from rankCandidates() to rankCandidatesBySig() to ensure that voters cannot rank more candidates than allowed:
'''
if (orderedCandidates.length > MAX_CANDIDATES) {
revert RankedChoice__InvalidInput();
}
'''
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.