First Flight #5: Santa's List

First Flight #5

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Unrestricted Access to checkList Function Allows Unauthorized Status Changes

0xtheblackpanther

Summary

The checkList function in the Santa's List contract lacks proper access control, allowing anyone to call it. This vulnerability could lead to unauthorized modifications of the list, compromising the intended behavior of the contract.

Vulnerability Details

The checkList function is designed to be only callable by Santa; however, there is no implemented access control mechanism. Without proper access control, any external entity can call this function, potentially altering the status of addresses on the list.

function checkList(address person, Status status) external {

// No access control implemented

s_theListCheckedOnce[person] = status;

emit CheckedOnce(person, status);

}

Impact

The lack of access control in the checkList function poses a security risk, as it allows unauthorized parties to change the status of addresses on the list. This could lead to manipulation of the list, impacting the intended behavior of the contract.

#POC

function testCheckListWithAnyUser() public {

vm.prank(user);

santasList.checkList(user, SantasList.Status.NICE);

assertEq(uint256(santasList.getNaughtyOrNiceOnce(user)), uint256(SantasList.Status.NICE));

}

Tools Used

Manual review

Recommendations

To address this vulnerability, it is recommended to implement proper access control mechanisms in the checkList function. This can be achieved by adding a modifier or a require statement at the beginning of the function to ensure that only authorized entities, such as Santa, can invoke this function.

Example:

modifier onlySanta() {

require(msg.sender == santaAddress, "Only Santa can call this function");

}

function checkList(address person, Status status) external onlySanta {

s_theListCheckedOnce[person] = status;

emit CheckedOnce(person, status);

}

By implementing access control, the contract can prevent unauthorized access to critical functions, enhancing the overall security of the system. Additionally,

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Rewards breakdown

nSLOC

116

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.