President Elector

First Flight #24

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Potential for Single Entity Voting with Multiple Addresses

brene

Summary

The RankedChoice smart contract does not include a mechanism to ensure that each voter represents a unique individual or entity. This opens up the possibility that a single entity could vote multiple times by using different addresses, which could unfairly skew the results of an election. The lack of verification for voter identities or uniqueness makes the system vulnerable to manipulation.

Vulnerability Details

In the RankedChoice contract, voters are identified by their Ethereum addresses. However, the contract does not enforce any validation or verification to ensure that each voter address belongs to a unique individual or entity. As a result, an individual or organization could control multiple Ethereum addresses, allowing them to cast multiple votes in the election.

The VOTERS array is initialized in the constructor, and voters are referenced solely by their addresses:

>> address[] private VOTERS;

mapping(address voter => mapping(uint256 voteNumber => address[] orderedCandidates))

private s_rankings;

// For selecting the president

address[] private s_candidateList;

mapping(address candidate => mapping(uint256 voteNumber => mapping(uint256 roundId => uint256 votes)))

private s_candidateVotesByRound;

/*//////////////////////////////////////////////////////////////

USER FUNCTIONS

//////////////////////////////////////////////////////////////*/

constructor(address[] memory voters) EIP712("RankedChoice", "1") {

>> VOTERS = voters;

i_presidentalDuration = 1460 days;

s_currentPresident = msg.sender;

s_voteNumber = 0;

}

This code initializes the list of voters based on addresses provided at the contract deployment, but does not prevent the same person from controlling multiple addresses.

Potential Exploit Scenario
A single entity generates or controls multiple addresses.
Each address is added to the VOTERS array, allowing the entity to vote multiple times, thus gaining disproportionate influence in the election.
The entity can manipulate the election outcome by ranking candidates multiple times, effectively overriding the votes of other participants.

Impact

The voting outcome can be manipulated by individuals controlling multiple addresses, undermining the fairness and integrity of the election. It also undermines decentralized governance by allowing a small group of people (or individuals controlling multiple addresses) to control election outcomes, leading to governance centralization.

Tools Used

Manual Review

Recommendations

Implement identity verification mechanisms to ensure each voter is uniquely identified, possibly integrating with decentralized identity solutions.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

140

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.