SantasList__UnrestrictedStatusChange
Summary
In the checkList() function of the Santa's List smart contract it could allow anyone to drain the contract of Santa tokens. This vulnerability is caused by the function lacking access control, allowing anyone to call it and give themselves an EXTRA_NICE status, which grants them the ability to collect a large number of tokens.
Vulnerability Details
The checkList() function in the Santa's List smart contract does not implement any access control measures, allowing anyone to call it and assign themselves an EXTRA_NICE status. This status grants users the ability to collect a large number of Santa tokens by repeatedly calling the collectPresent() function. As a result, anyone can exploit this vulnerability to drain the contract of Santa tokens.
Impact
An attacker could exploit this vulnerability to repeatedly call the collectPresent() function with the EXTRA_NICE status, draining the contract of Santa tokens. This could lead to a severe depletion of the contract's resources and disrupt the protocol's economy.
Tools Used
Manual Review
Recommendations
Implement an onlySanta modifier to restrict the ability to call the checkList() function.
Lead Judging Commences
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.