Missing "onlySanta" modifier
Summary
Missing "onlySanta" modifier in function "checkList".
Vulnerability Details
Malicious user can anytime call admin's function "checkList" and manipulate statuses.
Impact
This issue is critical and can lead to several negative consequences:
-
malicious user can change their status to "NICE" or "EXTRA_NICE" and if the second check matches, he will receive a reward. If Santa calls a function "checkTwice" with a different "nice" value, he will make a frontrun attack by calling a function with the same value (otherwise the status mismatch will cause the second status to be lost);
-
malicious user can prevent other users from claiming a reward if two-step verification is passed but the reward has not yet been claimed. If the two-step verification values match, then he can change the status of the victim for the first verification by calling a function "checkList" with a different status value. The victim will not be able to receive the reward, since it requires a matching of statuses (although if the victim is not stupid, he can also change his status to the previous one;).
Tools Used
Manual review.
Recommendations
Recommended to add "onlySanta" modifier in function "checkList":
Lead Judging Commences
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.