First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing modifier for checkList function

Prabhas

Summary

The checkList function is missing an access control modifier. According to the docs only santa can call the checkList function. Inorder to restrict who can call the function we need to check whether the msg.sender is authorized to call the function. But this check is missing in the checkList function.

Vulnerability Details

Anyone can call the checkList function to set their status as NICE or EXTRA_NICE to receive rewards even if they are not .

function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}

Impact

Since anyone can set their status to NICE or EXTRA_NICE the santa can't effectively filter addresses. since checkTwice function requires the status input is same as status in s_theListCheckedOnce mapping.

Tools Used

Manual Review

Recommendations

To restrict who can call the checkList function add onlySanta modifier to the function.

- function checkList(address person, Status status) external {
+ function checkList(address person, Status status) external onlySanta {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.