First Flight #5: Santa's List

First Flight #5

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Anyone can check the list by calling 'checkList' function

Gracious

Summary

In the SantasList contract, the 'checkList' function assumes that only Santa should perform the initial assessment of individuals on the list. However, as it lacks access control, any user, including malicious actors, can invoke the function and conduct this initial assessment without restriction.

Vulnerability Details

This vulnerability within the SantasList.sol file is found within the checkList function, starting from line 114.

The checkList() function lacks access controls, allowing unrestricted access by any user to conduct the initial list assessment:

@notice Do a first pass on someone if they are naughty or nice.
Only callable by santa
@param person The person to check
@param status The status of the person
*/
function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
To restrict access and limit list checking to Santa, it's essential to implement a verification step ensuring that the function caller is indeed Santa.

Impact

If unauthorized parties can conduct the initial list check, this would undermine the contract's purpose, as its logic relies significantly on the trustworthiness and fairness of this list.

As specified in the accompanying NatSpec comment: "Do a first pass on someone if they are naughty or nice. Only callable by Santa," the core assumption is that only Santa can perform this initial assessment. If this functionality is compromised, it represents a high-severity vulnerability.

Tools Used

Manual analysis

Recommendations

Implement access control to restrict the calling of the checkList function exclusively to Santa - i_santa. This can be achieved in two ways:

i) Using an if statement to check the caller's address and revert with the custom error SantasList__NotSanta() if the caller isn't Santa:

function checkList(address person, Status status) external {

// Check if the function caller is Santa

if (msg.sender != i_santa) {

revert SantasList__NotSanta();

}

s_theListCheckedOnce[person] = status;

emit CheckedOnce(person, status);

}

ii) Implement the 'onlySanta' modifier within the SantasList contract in the checkList function:

modifier onlySanta() {

if (msg.sender != i_santa) {

revert SantasList__NotSanta();

}

* @notice Do a first pass on someone if they are naughty or nice.

* Only callable by santa

* @param person The person to check

* @param status The status of the person

function checkList(address person, Status status) external onlySanta {

s_theListCheckedOnce[person] = status;

emit CheckedOnce(person, status);

}

Using the onlySanta modifier introduces a check ensuring that the caller is Santa before executing the function's logic, thereby restricting access to only Santa.

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Rewards breakdown

nSLOC

116

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.