President Elector
First Flight #24
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Risk of Self-Voting Manipulation by Candidates

brene

Summary

The RankedChoice contract allows voters to rank candidates for the presidency. However, the contract does not prevent candidates from voting for themselves multiple times. This creates a vulnerability where a candidate, if included in the VOTERS list, can manipulate the voting process by repeatedly ranking themselves first, skewing the election results in their favor.

Vulnerability Details

The contract allows voters to rank candidates in order of preference, but it does not impose any checks to prevent candidates from voting for themselves or placing themselves at the top of their ranking. This lack of restriction opens up the potential for manipulation, particularly in situations where candidates can also act as voters.

function rankCandidates(address[] memory orderedCandidates) external {
_rankCandidates(orderedCandidates, msg.sender);
}

In the above function, any voter—including candidates—can submit their ranked choices without restrictions. A candidate who is also a voter can rank themselves as the top candidate potentially multiple times depending on the election rules especially if a candidate controls multiple voting addresses, this manipulation could be compounded.

Impact

Candidates can gain an unfair advantage by leveraging multiple addresses to vote for themselves, skewing election results.

Tools Used

Manual Review

Recommendations

Ensure that each address corresponds to a unique voter, reducing the risk of multiple votes from a single candidate.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.