First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

missing access control on checkList function - low impact

rapstyle

Summary

The comment on the function SantasList::checkList say Only callable by santa but the function don't have the modifier onlySanta.

@> function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}

Vulnerability Details

The modifier onlySanta is missed on SantasList::checkList function, so everyone can update the status of an address on the s_theListCheckedOnce mapping.

Impact

The impact is low because there is the second function SantasList::checkTwice to confirm the status of an address, and it has the onlySanta modifier.

Tools Used

Manual review

Recommendations

Add the modifier onlySanta in the function.

- function checkList(address person, Status status) external {
+ function checkList(address person, Status status) external onlySanta {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.