First Flight #5: Santa's List

First Flight #5

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Anyone can mint an NFT using collectPresent() on deployment

arkan

Summary

collectPresent() has the following check to ensure the msg.sender is assigned the NICE member of the Status enum:

if (s_theListCheckedOnce[msg.sender] == Status.NICE && s_theListCheckedTwice[msg.sender] == Status.NICE) {

The problem is that every person in the s_theListCheckedOnce mapping is assigned the NICE enum member by default, meaning they will pass the above check allowing them to mint an NFT.

Vulnerability Details

As per the Solidity documentation:

Enums require at least one member, and its default value when declared is the first member.

Looking at the Status enum:

enum Status {

NICE,

EXTRA_NICE,

NAUGHTY,

NOT_CHECKED_TWICE

}

We can see that NICE is the first member and therefore is the default value. Let’s take a look at the s_theListCheckedOnce mapping:

mapping(address person => Status naughtyOrNice) private s_theListCheckedOnce;

There is a key (address person) that maps to a value (Status naughtyOrNice). By default the value will be NICE for the reason previously stated. Now when someone calls collectPresent() and the following check is executed:

if (s_theListCheckedOnce[msg.sender] == Status.NICE && s_theListCheckedTwice[msg.sender] == Status.NICE) {

It passes as the person, i.e. the msg.sender, is assigned the NICE member of the Status enum by default.

Impact

Users do not need to be assigned the NICE member of the Status enum and therefore can call collectPresent() to mint an NFT. Imagine a scenario whereby Sam Bankman-Fried (SBF) is able to mint an NFT because he was assigned the NICE member by default. I believe the general consensus would be against such a scenario as we can all agree such individuals are more suited to the NAUGHTY member.

Tools Used

Manual Review.

Recommendations

Add an additional member to the Status enum and ensure it is the first member. For instance, adding UNKNOWN to Status as the first member will ensure the default value that the s_theListCheckedOnce and s_theListCheckedTwice mappings map to is UNKNOWN:

enum Status {

+ UNKNOWN,

NICE,

EXTRA_NICE,

NAUGHTY,

NOT_CHECKED_TWICE

}

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

default status is nice

In Solidity the first element of an enum is the default value. In Santa's List, the means each person is mapped by default to 'NICE'.

Rewards breakdown

nSLOC

116

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.