First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`SantasList::checkList` is not protected and can be called by anyone

0xMaximus

Summary

The SantasList::checkList function is not protected with the modifier SantasList::onlySanta and therefore Anyone can call that function to set their Status which should not be done in this case.

Vulnerability Details

contract SantasList is ERC721, TokenUri {
@> function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
}

If this function is not protected with the SantasList::onlySanta modifier then it can be called by an external account or contract to set their own status and can get a higher favourable value than others which is not fair and against the rules of the contract

Impact

Anyone can set their Own status irrespective of what they have to get or assigned to. So that everyone will try to get higher returns which is an unfair advantage.

Tools Used

  • Manual Analysis

  • foundry

Recommendations

Use SantasList::onlySanta modifier to SantasList::checkList function aswell.

- function checkList(address person, Status status) external {}
+ function checkList(address person, Status status) external onlySanta{}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.