President Elector

First Flight #24

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

rankCandidates function Input Validation Issues

ledgerLongBeard

Summary

The rankCandidates() function in the RankedChoice contract does not properly validate that the orderedCandidates array contains unique candidates. A user can potentially rank the same candidate multiple times, which may lead to unintended voting behavior.

Vulnerability Details

The vulnerability arises because there is no check in place to ensure that each candidate is ranked only once in the orderedCandidates array. Without this validation:

A voter can submit an array where the same candidate is ranked multiple times (e.g., [candidate1, candidate1, candidate2]), which may not be the intended use of ranked voting.
The contract allows up to 10 candidates, but there is no check to ensure that candidates are unique within the same list, leading to potential vote distortion or manipulation.

Impact

Vote Distortion: Voters could intentionally or unintentionally give one candidate multiple votes by ranking them in multiple positions, leading to inaccurate vote counting.

Election Manipulation: Malicious users could exploit this loophole by submitting votes that heavily favor one candidate, undermining the fairness of the election.
Unintended Behavior: The lack of validation could result in voters mistakenly submitting incorrect ballots, leading to confusion and potential miscounts.

Tools Used

Recommendations

Check for Duplicate Candidates: Introduce validation to ensure that the orderedCandidates array does not contain duplicate candidates. The contract should revert if any candidate appears more than once in the ranked list.

Example Solution:

Ensure Unique Candidates: This validation ensures that each candidate is ranked only once, preventing potential vote distortion and manipulation.

function _rankCandidates(address[] memory orderedCandidates, address voter) internal {

if (orderedCandidates.length > MAX_CANDIDATES) {

revert RankedChoice__InvalidInput();

}

if (!_isInArray(VOTERS, voter)) {

revert RankedChoice__InvalidVoter();

}

// Check for duplicate candidates

for (uint256 i = 0; i < orderedCandidates.length; i++) {

for (uint256 j = i + 1; j < orderedCandidates.length; j++) {

if (orderedCandidates[i] == orderedCandidates[j]) {

revert RankedChoice__InvalidInput(); // Duplicate candidate found

}

// Internal Effects

s_rankings[voter][s_voteNumber] = orderedCandidates;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

rankCandidates() allows duplicate votes inside the `orderedCandidates` array

Appeal created

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

rankCandidates() allows duplicate votes inside the `orderedCandidates` array

Rewards breakdown

nSLOC

140

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.