First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

SantaList checkList function missing access control

atoko

Summary

the function below

function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}

should be called only by santa but its missing an access control which makes it vulnerable to calls that are not from santa

Vulnerability Details

since any one can call the function it means some users will call the function and some malicious users in this case naughty can sneak in

Impact

medium - The lack of access control in checkList potentially allows an attacker to manipulate the s_theListCheckedOnce mapping arbitrarily, leading to an incorrect or compromised status comparison in the checkTwice function. This undermines the integrity of the entire naughty or nice assessment process.

Tools Used

manual analysis

Recommendations

add the access control modifier so you only allow santa to check the list

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.