Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multi-Candidates election can be manipulated by submitting duplicate positions #6721

Open
Chris-Hibbert opened this issue Dec 23, 2022 Discussed in #6711 · 0 comments
Open

Multi-Candidates election can be manipulated by submitting duplicate positions #6721

Chris-Hibbert opened this issue Dec 23, 2022 Discussed in #6711 · 0 comments
Assignees
@Chris-Hibbert
Labels
bug Something isn't working Governance Governance security vaults_triage DO NOT USE

Comments

@Chris-Hibbert
Copy link
Contributor

Discussed in #6711

Originally posted by simpletrontdip December 22, 2022
Hi, while reading through the code, I've found out that submitVote did not check for the uniqueness of positions.
Since inside countVotes, we only find the position index and add the shares, so some voters can exploit this to manipulate the election's result, say:

submitVote(['A', 'A', 'A'])

// instead of
submitVote(['A', 'B', 'C'])

agoric-sdk/packages/governance/src/multiCandidateVoteCounter.js

Lines 68 to 76 in ca0b874

for (const { chosen, shares } of allBallots.values()) {
for (const position of chosen) {
const positionIndex = positions.findIndex(p => keyEQ(p, position));
if (positionIndex < 0) {
spoiled += shares;
} else {
tally[positionIndex] += shares;
}
}

agoric-sdk/packages/governance/src/multiCandidateVoteCounter.js

Lines 168 to 183 in ca0b874

submitVote(voterHandle, chosenPositions, shares = 1n) {
chosenPositions.length <= maxChoices ||
Fail`The number of choices exceeds the max choices.`;
chosenPositions.forEach(position => {
positionIncluded(positions, position) ||
Fail`The specified choice is not a legal position: ${position}.`;
});
const completedBallot = harden({ chosen: chosenPositions, shares });
allBallots.has(voterHandle)
? allBallots.set(voterHandle, completedBallot)
: allBallots.init(voterHandle, completedBallot);
return completedBallot;
},

@Chris-Hibbert Chris-Hibbert added bug Something isn't working security Governance Governance labels Dec 23, 2022
@Chris-Hibbert Chris-Hibbert self-assigned this Dec 23, 2022
@ivanlei ivanlei added the vaults_triage DO NOT USE label Jan 4, 2023
@ivanlei ivanlei added this to the Vaults RC0 milestone Feb 1, 2023
@ivanlei ivanlei removed this from the Vaults EVP milestone Apr 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Chris-Hibbert Chris-Hibbert

Labels
bug Something isn't working Governance Governance security vaults_triage DO NOT USE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ivanlei @Chris-Hibbert