First Flight #5: Santa's List

First Flight #5

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Unauthorized Token Burning in `buyPresent` Function of SantasList Contract

kevinkkien

Summary

The buyPresent function in the SantasList contract contains a critical vulnerability where it burns SantaTokens from the recipient's address instead of the sender's address. This flaw allows any user to burn tokens from another user's account without consent.

Vulnerability Details

In the SantasList contract, the buyPresent function is designed to allow users to buy presents using SantaTokens. However, due to a flaw in the implementation, the function burns tokens from the presentReceiver's account, not the msg.sender (the buyer). This design does not conform to the standard token burning practice, where the caller of the function should be the one whose tokens are burned.

Impact

This vulnerability poses a significant security risk, allowing any user to burn tokens from another user's account without permission. It could be exploited to deplete the SantaToken balance of unsuspecting users, leading to loss of tokens and potentially disrupting the token ecosystem.

Tools Used

manual

Recommendations

function buyPresent(address presentReceiver) external {

require(i_santaToken.balanceOf(msg.sender) >= PURCHASED_PRESENT_COST, "Insufficient balance to buy present");

require(i_santaToken.allowance(msg.sender, address(this)) >= PURCHASED_PRESENT_COST, "SantasList not authorized to use tokens");

i_santaToken.burnFrom(msg.sender, PURCHASED_PRESENT_COST);

_mintAndIncrement();

}

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

buyPresent should use msg.sender

Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.

Price is not enforced in buyPresent

This line indicates that the intended cost of presents for naughty people should be 2e18: https://github.com/Cyfrin/2023-11-Santas-List/blob/6627a6387adab89ae2ba2e82b38296723261c08a/src/SantasList.sol#L87 PURCHASE_PRESENT_COST should be implemented to enforce the cost of presents.

Rewards breakdown

nSLOC

116

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.