First Flight #5: Santa's List

Summary

As per Naspec guidelines (line 115 in the santaList contract), only Santa is intended to have the capability to invoke a specific function. However, a vulnerability has been identified in the code. The function checkList at line 121 within the checkList contract can be called by any entity. This allows unauthorized individuals to modify the state of each child or any child as they please.

Vulnerability Details

At line 121, the checkList function in the checkList contract lacks proper access restrictions. Any person can call this function, enabling them to alter the initial status of a child. Consequently, Santa may set a child's status, but another individual can override this information or manipulate the states of multiple addresses eligible for a Santa present. When Santa subsequently calls the function checkTwice(), it would result in a revert.

Impact

The ability for anyone to call the checkList function undermines the integrity of the initial child status setting. This vulnerability allows unauthorized entities to reassign or manipulate the state of multiple addresses, leading to potential issues when Santa attempts to verify with the checkTwice() function, causing it to revert.

Tools Used

The identified issues were discovered through manual review and Invariant Testing.

Recommendations

1. Add a modifier to the checkList function to restrict its invocation to only Santa or authorized entities, preventing any unauthorized individuals from calling the function.

2. Consider implementing access control mechanisms to ensure that only designated parties, such as Santa, can modify the states of children in the santaList contract.