Lack of Access Control Allows Anyone To Manipulate Their Status
Summary
A user can simply call the checkList function to qualify them for the second check.
Vulnerability Details
To be able to call collectPresent, a user must possess either Status.NICE or Status.EXTRA_NICE. However, a malicious user could manipulate their initial status. While this manipulation would not permit them to collect presents, it creates a significant concern. This action, which should exclusively be executable by Santa as stated in the docs, can be misused to deceive the protocol into believing that a user qualifies for a subsequent pass. This vulnerability undermines the integrity of the status verification process.
Impact
A user can bypass the need to be checked once and the protocol might assume that he qualifies for the second pass and thus, manipulate their actual status.
Tools Used
Manual Review
Recommendations
Add onlySanta modifier to only allow the Santa user to call the function.
Lead Judging Commences
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.