First Flight #5: Santa's List

Beginner FriendlyFoundry
100 EXP
Submission Details
Severity: high
Valid

Anyone is able to burn someone else's tokens and mint an NFT in SantasList contract.

Updates

Lead Judging Commences

InAllHonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

buyPresent should use msg.sender

Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.

buyPresent should send to presentReceiver

Support

FAQs

Can’t find an answer? Join our Discord or follow us on Twitter.