Malicious Actors can front-run `checkList` to prevent them from being checked twice
Summary
Because the function checkList can be called by anyone, it can be front-run to grief anyone from getting successfully checked twice.
Vulnerability Details
Since in order for an address to be eligible to call the collectPresent, that address needs to be checked twice. This validation process is a two-step process. In order for the user to be checked the second time, he needs to have that status that he wants to be in the first status.
For example, if he wants to qualify to collect a present, he needs to have Status.NICE or Status.VERY_NICE in the second mapping. In order for him to have that, he first needs to have either one of the status in the first mapping variable. However, since it is callable by anyone, anyone can just front-run it and change the status to prevent it from ever changing the second status.
Impact
Since this protocol is supposed to be deployed in arbitrium, the gas fees will be cheap. This means that it will be really cheap to grief users to prevent them from being ever eligible to collect a present.
Tools Used
Manual Review
Recommendations
Add the modifier onlySanta, so that only the approved address can call to prevent griefing.
Lead Judging Commences
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.