Lack of Constructor for `s_previousVoteEndTimeStamp` Allows Malicious Voter to Manipulate Election Timeline
Summary
A malicious voter can manipulate the election timeline and select the president upon contract deployment due to the absence of proper initialization for s_previousVoteEndTimeStamp. This flaw enables attackers to bypass the intended 4-year election cycle and prematurely gain control over the election outcome.
Vulnerability Details
The s_previousVoteEndTimeStamp variable, which controls when the voting period ends, is not initialized properly in the contract's constructor. Without initialization, the contract assumes a default value (0), which can be exploited by a voter who ranks a candidate and then immediately triggers the selectPresident function upon deployment. The lack of initialization leads to unintended election outcomes, allowing malicious users to bypass the required election timeline.
Impact
A malicious user can prematurely trigger the election process after deployment by ranking a candidate and then calling selectPresident. This allows the election to take place without adhering to the intended 4-year term, undermining the integrity of the ranked-choice voting system.
Tools Used
Manual code review.
Recommendations
Initialize s_previousVoteEndTimeStamp: Add a constructor that initializes s_previousVoteEndTimeStamp with the current block's timestamp. This will ensure the voting timeline is correctly enforced, preventing premature elections.
Lead Judging Commences
`s_previousVoteEndTimeStamp` variable not being initialized correctly
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.