First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unrestricted Token Burning in buyPresent Function

nisedo

Vulnerability Details

The buyPresent function in the contract lacks adequate access control, enabling any user to burn SantaTokens from any address. This absence of restrictions contradicts the function's intended use, which should be limited to "naughty" users as per the design.

function buyPresent(address presentReceiver) external { //@audit no access control
i_santaToken.burn(presentReceiver);
_mintAndIncrement();
}
function _mintAndIncrement() private {
_safeMint(msg.sender, s_tokenCounter++);
}

Impact

This vulnerability poses a significant risk to the token economy, as it allows any user to arbitrarily reduce the SantaToken balance of other addresses, disrupting the intended token distribution and user incentives.

Recommendations

  1. Implement Access Control: Introduce checks to restrict the function to "naughty" users only.

  2. Require User Consent for Token Burn: Modify the function to burn tokens only from the caller's balance or implement a consent mechanism for burning tokens from another user's balance.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

buyPresent should use msg.sender

Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.