collectPresent()
has insufficient checks to see if msg.sender has already claimed their share of presents and tokens.
It only checks the current NFT balance of the user which is insufficient, the user can just transfer it to another wallet he owns and collect again.
POC of how the attack can occur.
Santa's smart contracts can be gamed to have an unfair amount of tokens and/or presents
Manual Review, Foundry
Mapping of s_tokenCounter is setup but not actually used in the function to check for duplicate claims for users. It is also not a mapping from a user's address to their count of tokens.
instead of uint256 private s_tokenCounter;
use mapping(address person => uint256 countOfSantasPresentClaimed) private s_tokenCounter;
and in the _mintAndIncrement()
function, adjust the s_tokenCounter
to s_tokenCounter[msg.sender]++
Relying on balanceOf > 0 in collectPresent() allows the msg.sender to send their present to another address and then collect again.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.