BUG:The RankedBallot.sol contract allows a single voter to assign multiple ranksΒ #228
Description
Is there an existing issue for this?
- I have searched the existing issues
Issue Description βοΈ
π Describe the Bug
The RankedBallot.sol contract allows a single voter to assign multiple ranks to the same candidate within a single transaction. This bypasses the intended "one rank per candidate" logic of ranked-choice voting.
π¨ Actual Behavior
In the vote function, the contract iterates through the provided voteArr and adds points to the candidateVotes mapping based on the index. Because there is no validation to ensure each candidateID in the array is unique, a user can submit an array like [0, 0, 0]. This results in Candidate 0 receiving the points intended for 1st, 2nd, and 3rd place combined, effectively triple-counting the user's influence on that specific candidate.
π― Expected Behavior
The vote function should validate that the voteArr contains a unique list of candidate IDs. Each candidate should only be ranked once per ballot to maintain the integrity of the weighted voting system.
π· Screenshot
(Not applicable for smart contract logic bugs)
π‘ Suggestions
Add a uniqueness check inside the vote function. This can be achieved by using a temporary boolean array or a bitmask to track which candidates have already been processed in the current loop.
function vote(uint[] memory voteArr) external onlyOwner {
uint totalCandidates = candidateVotes.length;
if (voteArr.length != totalCandidates) revert VoteInputLength();
bool[] memory seen = new bool[](totalCandidates); // Track unique IDs
for (uint i = 0; i < totalCandidates; i++) {
uint candidateId = voteArr[i];
if (candidateId >= totalCandidates) revert InvalidCandidateID();
if (seen[candidateId]) revert DuplicateCandidateID(); // Revert on duplicates
seen[candidateId] = true;
candidateVotes[candidateId] += totalCandidates - i;
}
}
Record
- I have synced all my node versions as mentioned in the project
- I am using the same version of npm as is the project
- My current branch is in sync with the development branch
- I want to work on this issue