First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

missing access control on checkList function - low impact

rapstyle

Summary

The comment on the function SantasList::checkList say Only callable by santa but the function don't have the modifier onlySanta.

@> function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}

Vulnerability Details

The modifier onlySanta is missed on SantasList::checkList function, so everyone can update the status of an address on the s_theListCheckedOnce mapping.

Impact

The impact is low because there is the second function SantasList::checkTwice to confirm the status of an address, and it has the onlySanta modifier.

Tools Used

Manual review

Recommendations

Add the modifier onlySanta in the function.

- function checkList(address person, Status status) external {
+ function checkList(address person, Status status) external onlySanta {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!