First Flight #5: Santa's List

First Flight #5

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Absence of access control modifier in SantaToken contract's Mint and Burn Functions

0xrektified

Summary

The contract lacks a dedicated modifier to check if the caller is i_santasList, which leads to repeated code and potential risks associated with future updates or extensions of the contract.

Vulnerability Details

In the SantaToken contract, the mint and burn functions include a direct check to verify whether the caller is the authorized santasList address.

if (msg.sender != i_santasList)

This check is repeated in both functions, instead of direct checks, the use of a modifier for access control is a best practice in Solidity.
This not only makes the code cleaner and more readable but also ensures that all functions with this access requirement uniformly enforce the same logic.

Impact

This issue is not directly putting funds at risk but can be classified under the 'Informational' category.
The absence of a modifier for repeated access control checks can lead to potential risks in future updates or maintenance of the contract.
If the contract is extended or modified, the repeated code needs to be accurately replicated, increasing the chance of errors.

Tools Used

This analysis is based on manual code review and understanding of Solidity best practices.

Recommendations

Introduce a modifier in the contract to handle the access control for santasList.
This modifier should be applied to the mint and burn functions to ensure that only the authorized address can call these functions.
Here is an example of how it can be implemented:

modifier onlySantasList() {

require(msg.sender == i_santasList, "SantaToken__NotSantasList");

}

function mint(address to) external onlySantasList {

_mint(to, 1e18);

}

function burn(address from) external onlySantasList {

_burn(from, 1e18);

}

This change will enhance the contract's maintainability, readability, and adherence to Solidity best practices.

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

116

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.