Incorrect information in README leads to confusion.
Summary
Incorrect information regarding the roles of the protocol would lead to confusion for users, devs and researchers.
Vulnerability Details
The Roles section states that there's a User role, which is a participant in the raffle, and has the power to enter the raffle with the enterRaffle function and refund value through the refund function. There is no raffle contract, enterRaffle function or refund function.
The Collecting Presents section states that the buyPresent function function trades 2e18 SantaToken for an NFT. The README states that anyone can call the function, clarified in the contest (discord) that anyone with SantaToken should be able to call it. The function and the tests are not implemented that way. It's likely that in this case the README has the intention, but it's not guaranteed.
Impact
Confusion for users who might want to use the protocol, as well as developers coming new to the project, and researchers trying to do security reviews.
Tools Used
Reading README.md in the repo.
Recommendations
Ensure all documentation is accurate prior to submitting protocol for review. Team should take steps to ensure that implementation matches documentation prior to submitting for review.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.