Summary

The contract allows voters to submit their votes in a transparent manner, which makes it susceptible to Miner Extractable Value (MEV) attacks. Observers can monitor pending transactions in the mempool and, if they see that the election is close, they can submit their own votes or reorder transactions to influence the election outcome.

Vulnerability Details

• Affected Function: rankCandidatesBySig and rankCandidates

• Issue Explanation:

  • Transparent Transactions: All voting transactions are public and can be observed in the mempool before they are mined.

  • MEV Opportunity: Malicious actors (including miners) can see incoming votes and choose to front-run them with their own transactions to alter the outcome.

  • Strategic Voting: Attackers can calculate the current standings and submit votes that favor their preferred candidate just before the election ends.

Impact

• Election Outcome Manipulation: Attackers can unfairly influence the result of the election.

• Unfair Advantage: Voters with the ability to observe and act on mempool data gain an advantage over regular voters.

• Erosion of Trust: The integrity of the election process is compromised, reducing trust among participants.

Tools Used

manual Review

Recommendations**:**

use some locking mechanism like after the phase of start selectPresident starts no one can cast their votes.