Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

Missing caller check on `checkList` function

Summary

Anyone can checkList any person by calling checkList function.

Vulnerability Details

The function checkList is not utilizing the modifier onlySanta to prevent others from calling it.

Impact

The function checkList can be abused as anyone can check himself (or anyone else). Below is a PoC:

// audit-danger anyone can call `checkList`
function testAnyOneCanCallCheckList() public {
address addr = makeAddr("0xbrivan");
santasList.checkList(addr, SantasList.Status.EXTRA_NICE);
assertEq(uint256(SantasList.Status.EXTRA_NICE), uint256(santasList.getNaughtyOrNiceOnce((addr))));
}
[PASS] testAnyOneCanCallCheckList() (gas: 34849)

Tools Used

Manual analysis

Recommendations

Consider checking that the caller of the function matches i_santa by utilizing the modifier onlySanta

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.