Submission Details
Severity:
Malicious user can call `SantasList::checkList`
Summary
Anyone can call SantasList::checkList function because lack of access control
Vulnerability Details
In SantasList::checkList, this should only be called by santa but anyone can call and set them in s_theListCheckedOnce because of lose access control
//Here is the POC
function test_anyoneCanCallCheckList() public {
//user is calling instead of santa
vm.prank(user);
santasList.checkList(user, SantasList.Status.NICE);
assertEq(uint256(santasList.getNaughtyOrNiceOnce(user)), uint256(SantasList.Status.NICE));
}
Impact
Malicious actor can set himself in s_theListCheckedOnce
Tools Used
Manual review
Recommendations
Use onlySanta modifier in SantasList::checkList
- function checkList(address person, Status status) external{
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
+ function checkList(address person, Status status) external onlySanta{
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Updates
Lead Judging Commences
inallhonesty about 2 years ago
Submission Judgement Published Assigned finding tags:
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
nSLOC
116This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.