The buyPresent function in the contract lacks adequate access control, enabling any user to burn SantaTokens from any address. This absence of restrictions contradicts the function's intended use, which should be limited to "naughty" users as per the design.
This vulnerability poses a significant risk to the token economy, as it allows any user to arbitrarily reduce the SantaToken balance of other addresses, disrupting the intended token distribution and user incentives.
Implement Access Control: Introduce checks to restrict the function to "naughty" users only.
Require User Consent for Token Burn: Modify the function to burn tokens only from the caller's balance or implement a consent mechanism for burning tokens from another user's balance.
Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.