SantasList:checkList() missing onlySanta modifier allows non-Santa user to conduct first check, potentially resulting in person receiving NFT with only one Santa conducted check
Summary
checkList() missing onlySanta modifier allows non-Santa user to conduct first check, potentially resulting in person receiving NFT with only one Santa conducted check
Vulnerability Details
SantasList:checkList() can be executed by a non-Santa user, contrary to the protocol documentation. This permits a person's first check to be done by a non-Santa user and potentially allowing Santa to conduct a 2nd check on a person whose first check was not done as expected. The result would be that the person would receive the NFT when they actually should not.
Impact
Low overall impact (Impact: Medium, Likelihood: Low)
Would require Santa to do a 2nd check on a person for whom he did not conduct a 1st check.
Tools Used
Visual Studio Code, Foundry
PoC
The following Foundry test will fail with current code due to the non-Santa user's first check not getting reverted...
Recommendations
Add the onlySanta modifier to the SantasList:checkList() function, as shown below...
Lead Judging Commences
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.