President Elector

First Flight #24
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: medium
Invalid

Possibility of Zero Address (`address(0)`) Being Elected as President

Summary

The contract does not prevent voters from submitting the zero address (address(0)) as a candidate. This could result in the zero address receiving votes and potentially being elected as president, which is likely unintended and could disrupt contract functionality.

Vulnerability Details

  • Affected Functions:

    • _rankCandidates

    • _selectPresidentRecursive

  • Issue Explanation:

    • No Validation: There is no check to ensure that candidates are valid, non-zero addresses.

    • Zero Address Inclusion: Voters can include address(0) in their orderedCandidates.

    • Election of Zero Address: If address(0) receives the majority of votes, it could be set as s_currentPresident.

Impact

  • Contract Integrity: Setting the president to address(0) may cause unexpected behavior in other contract functions that rely on a valid president address.

  • Governance Disruption: Could undermine the legitimacy of the election process.

Tools Used

  • Manual Code Review: Identified lack of validation for candidate addresses.

Recommendations

  • Validate Candidate Addresses:

    • Non-Zero Check: Ensure that candidate addresses are not the zero address.

      require(candidate != address(0), "Invalid candidate address");
    • Implement in _rankCandidates:

      for (uint256 i = 0; i < orderedCandidates.length; i++) {
      require(orderedCandidates[i] != address(0), "Invalid candidate");
      // Additional checks...
      }
  • Sanitize Candidate List:

    • Before processing, remove any instances of address(0) from candidate lists.

  • Restrict Candidate Submission:

    • Maintain a whitelist or registry of valid candidates that voters can choose from.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.