First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

```SantaList::checkList()``` can be called by anyone (not only by Santa)

kiteweb3

Summary

The SantaList::checkList() function is currently accessible to anyone, contrary to the intended restriction mentioned in the Readme documentation, which specifies that only Santa should have this privilege. This allows anyone to invoke the function and modify their status to NICE or EXTRA_NICE, thereby tampering with the initial checklist. Consequently, this has the potential to result in inaccurate evaluations during the second check conducted by Santa.

Vulnerability Details

@> function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}

Impact

//The CheckList function can be called by anyone
function testCheckListNotOnlyTheOwner() public {
vm.prank(user);
santasList.checkList(user, SantasList.Status.EXTRA_NICE);
assertEq(uint256(santasList.getNaughtyOrNiceOnce(user)), uint256(SantasList.Status.EXTRA_NICE));
}

Tools Used

Manual review

Recommendations

Add the onlySanta modifier to the checkList function.

- function checkList(address person, Status status) external {
+ function checkList(address person, Status status) external onlySanta {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.