First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Access control vulnerability in the `checkList()` function

naruto

Summary

According to the comment above the checkList() function, this function is only called by Santa. However, there is no logic to determine whether or not the caller is Santa. As a result, anyone has the ability to change their own status as well as the status of any other user.

Vulnerability Details

Impact

  • Users can add themselves to the s_theListCheckedOnce list, but Santa's intervention is required to add them to the s_theListCheckedTwice list in order to call the collectPresent() function.

  • Users can change the first status of any other person, preventing them from calling the collectPresent() function.

Test

function testcheckListAccessControl() public {
vm.prank(user);
santasList.checkList(user, SantasList.Status.EXTRA_NICE);
assertEq(uint256(santasList.getNaughtyOrNiceOnce(user)), uint256(SantasList.Status.EXTRA_NICE));
}

Recommendations

Utilize the onlySanta() modifier in the checkList() function

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.