Submission Details
Severity:
change status in `s_theListCheckedOnce`
Summary
Anyone could change person's status by calling checkList
Vulnerability Details
checkList has no restrictions and it is callable by anyone
Impact
Manipulate s_theListCheckedOnce mapping
Test:
function testCheckListIsCallableByAnyone() public {
vm.prank(user);
santasList.checkList(user, SantasList.Status.NICE);
assertEq(uint256(santasList.getNaughtyOrNiceOnce(user)), uint256(SantasList.Status.NICE));
}
Traces:
[PASS] testCheckListIsCallableByAnyone() (gas: 15913)
Traces:
[15913] Codehawk::testCheckListIsCallableByAnyone()
├─ [0] VM::prank(user: [0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D])
│ └─ ← ()
├─ [4211] SantasList::checkList(user: [0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D], 0)
│ ├─ emit CheckedOnce(person: user: [0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D], status: 0)
│ └─ ← ()
├─ [690] SantasList::getNaughtyOrNiceOnce(user: [0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D]) [staticcall]
│ └─ ← 0
└─ ← ()
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.83ms
Ran 1 test suites: 1 tests passed, 0 failed, 0 skipped (1 total tests)
Tools Used
Manual review Foundry
Recommendations
Add onlySanta modifier
Updates
Lead Judging Commences
inallhonesty about 2 years ago
Submission Judgement Published Assigned finding tags:
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
nSLOC
116This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.