President Elector

Summary

In the RankedChoice smart contract, voters can continue to submit or change their rankings even after the selectPresident function has been called. This introduces a significant issue, as votes can still be altered after the president has been selected, potentially undermining the election process.

Vulnerability Details

The current implementation of the RankedChoice contract does not prevent voters from modifying their rankings after the selectPresident function is executed. The selectPresident function tallies the votes and selects a president based on the rankings submitted by voters. However, after this function is called, there is no mechanism in place to freeze or restrict further ranking changes.

This oversight can be exploited, as voters may continue to change their votes, even after the president has been elected. This allows manipulation of the election outcome after the fact, especially if the selectPresident function is not immediately executed after the voting period ends.

Impact

This could lead to the following issues; voters could alter their rankings even after the president has been selected, potentially allowing them to claim they had voted differently, the absence of vote finalization undermines the credibility of the election process, as it becomes unclear when the official vote results were locked in.

Tools Used

Manual Review

Recommendations

Implement a mechanism that prevents any further vote submissions or modifications after the selectPresident function is executed. This could be done by introducing a flag, such as votingClosed, which is set to true once the election results are finalized.