The contract does not prevent voters from submitting the zero address (address(0)
) as a candidate. This could result in the zero address receiving votes and potentially being elected as president, which is likely unintended and could disrupt contract functionality.
Affected Functions:
_rankCandidates
_selectPresidentRecursive
Issue Explanation:
No Validation: There is no check to ensure that candidates are valid, non-zero addresses.
Zero Address Inclusion: Voters can include address(0)
in their orderedCandidates
.
Election of Zero Address: If address(0)
receives the majority of votes, it could be set as s_currentPresident
.
Contract Integrity: Setting the president to address(0)
may cause unexpected behavior in other contract functions that rely on a valid president address.
Governance Disruption: Could undermine the legitimacy of the election process.
Manual Code Review: Identified lack of validation for candidate addresses.
Validate Candidate Addresses:
Non-Zero Check: Ensure that candidate addresses are not the zero address.
Implement in _rankCandidates
:
Sanitize Candidate List:
Before processing, remove any instances of address(0)
from candidate lists.
Restrict Candidate Submission:
Maintain a whitelist or registry of valid candidates that voters can choose from.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.