First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

NFT token can be purchased for half of its price

0xaraj

Summary

User can buyPresent for their friends for half of the price of NFT ie 1e18 because of wrong token amount is passed

Vulnerability Details

For a user to buyPresent for their friends, user have to pay 2e18 token( 2e18 is the price of token) but while buying present user can only pay 1e18 because SantasToken::burn is burning only 1e18 token instead of 2e18 tokens

function burn(address from) external {
if (msg.sender != i_santasList) {
revert SantaToken__NotSantasList();
}
@> _burn(from, 1e18);
}

//Here is the POC

function test_canBuyPresentForHalfPrice() public {
vm.startPrank(santa);
santasList.checkList(user, SantasList.Status.EXTRA_NICE);
santasList.checkTwice(user, SantasList.Status.EXTRA_NICE);
vm.stopPrank();
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
vm.startPrank(user);
// approving 1 token instead of 2 tokens
santaToken.approve(address(santasList), 1e18);
santasList.collectPresent();
santasList.buyPresent(user);
assertEq(santasList.balanceOf(user), 2);
assertEq(santaToken.balanceOf(user), 0);
vm.stopPrank();
}

Impact

User can buy double present for the same amount of money, that breaks the core of protocol

Tools Used

  • Manual Review

Recommendations

In SantaToken::burn function

- _burn(from, 1e18);
+ _burn(from, 2e18);
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Price is not enforced in buyPresent

This line indicates that the intended cost of presents for naughty people should be 2e18: https://github.com/Cyfrin/2023-11-Santas-List/blob/6627a6387adab89ae2ba2e82b38296723261c08a/src/SantasList.sol#L87 PURCHASE_PRESENT_COST should be implemented to enforce the cost of presents.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.