First Flight #5: Santa's List

Summary

At the moment we are not really aware how or on what terms our users are being verified or "judged" in this case.

Vulnerability Details

Users are given a status as either nice, extra nice or naughty by Santa but we are not sure of Santa's judgement. In my opinion people make some mistakes they are not aware they are mistakes and they would still want to claim presents, I believe its fair to make them aware they made mistakes and why we won't be giving them presents or even why they are just nice and not extra nice.

Impact

At the moment Santa acts like a "god" who knows every user behaviour, in this case I don't think the verification process is ideal for the proper performance of the contract. Lets take an example of the recent Cyfrin Updraft release all the users who were eligible to get the early access which is the present in this case knew they had to login to the website and use there code to get presents they worked for. But in the case of Santa regardless of how nice an individual can be there is no time they can say "oh! it's Christmas I have been nice the whole year let me ether this mall press a button see if there is something for me"

Tools Used

Manual analysis

Recommendations

Am not so sure of the best approach to this but I got something, lets say you add a mechanism that would truly help show us truly who the nice, extra nice and naughty guys are. Think of something like a staking mechanism where our users are able to stake and use the protocol for say a year, in that year we monitor the users who have been staking for the longest time, those earn our extra nice status, then users who did not stake as long earn the nice status and those who don't use the protocol but still want presents are the naughty ones with this in place maybe we have solved the issue and users who don't use the protocol will know why they won't be getting Santa's presents.