buyPresent should have a conditional Statement or Modifier
Summary
As per the Naspec guide for the BuyPresent function in the santaList contract, it is intended to be callable by anyone possessing sufficient santaTokens.
Vulnerability Details
The flaw can be located at line 173 in the santaList.sol contract. Any individual, even those without any santaTokens, can invoke the buyPresent function. the caller of this function gains the ability to mint an NFT for free.
Impact
The buyPresent function allows anyone to burn another person's tokens without possessing any tokens themselves, attempting to burn the tokens associated with the presentReceiver address. The presentReceiver looses their santaToken without receiving any gift.
Tools Used
The identified issues were discovered through manual review and Invariant Testing.
Recommendations
Implement a modifier to verify that the caller (
msg.sender) has a minimum balance ofsantaTokensbefore allowing the execution of thebuyPresentfunction.
Lead Judging Commences
buyPresent should use msg.sender
Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.