President Elector

First Flight #24

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

No Time Check on Voting Function

josh4324

Summary

The _rankCandidates and rankCandidates functions do not implement any time-based restrictions, allowing voters to continue voting even after the deadline for the election has passed. This can lead to an unfair advantage for voters who can still submit or modify their votes beyond the intended voting period, as long as selectPresident() has not been called to close the voting process.

Vulnerability Details

The contract's design includes a specific time frame for voting (approximately 4 years or 1460 days) after which a new president is elected. The vulnerability lies in the fact that there are no time checks in place within the _rankCandidates and rankCandidates functions to prevent voters from submitting or modifying their votes beyond the voting period.

If voters are allowed to vote or change their rankings after the voting deadline, it could lead to manipulation or unintended behavior in the election process.

_rankCandidates Function: This internal function is responsible for updating the rankings of a given voter for the current vote. It does not include any check to ensure that the voter is submitting their ranking within the voting period.
rankCandidates Function: This external function allows voters to submit their ranking of candidates, but it similarly lacks any restriction based on the current timestamp.

Without a time check, malicious voters can exploit this vulnerability to:

Wait until most voters have cast their votes and then submit or change their own ranking to influence the final result.
Delay calling selectPresident() and keep voting or modifying their choices, especially if they want to favor a particular candidate.

Impact

Allowing voters to cast or modify votes beyond the intended voting period can lead to manipulation of the election outcome. The integrity of the voting process is compromised, as voters can submit late votes or wait until the majority of votes are cast before submitting their ranking, thus unfairly influencing the final result.

Tools Used

Manual Review

Recommendations

Implement a time check in both _rankCandidates and rankCandidates functions to ensure that voting can only occur within the allowed period (e.g., within the first 4 years of the election).

After the voting period ends, voters should be prohibited from submitting or modifying their rankings.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

No checks for time constraints to prevent voters from submitting or modifying votes after the voting period had ended

Rewards breakdown

nSLOC

140

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.