Absence of Vote Cycles Tracking
Summary
The RankedChoice contract does not implement robust vote cycle tracking or voter participation checks, which could allow voters to submit their rankings multiple times within the same election. This introduces a vulnerability where the integrity of the voting process is compromised, potentially leading to unfair results. Without tracking whether a voter has already participated, the system cannot enforce the 'one voter, one vote' rule effectively.
Vulnerability Details
In ranked-choice voting, each voter should only be allowed to submit one ranked list of candidates per election round. However, the RankedChoice contract lacks mechanisms to track whether a voter has already cast their vote, therefore a voter could potentially cast multiple votes by calling the rankCandidates or rankCandidatesBySig functions repeatedly.
Impact
Voters can submit multiple votes, skewing the results and undermining the fairness of the election. A malicious voter or candidate could submit their rankings repeatedly, artificially boosting certain candidates and distorting the outcome.
Tools Used
Manual Review
Recommendations
Introduce a mechanism to track whether a voter has already submitted their vote in the current election round. This can be done by adding a mapping that records the participation status of each voter.
Lead Judging Commences
[Invalid] Vote Cycles not properly tracked
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.