First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Inadequate Access Control in checkList Function of SantasList Contract

kevinkkien

Summary

The checkList function in the SantasList contract lacks proper access control, allowing any user to arbitrarily set the naughty or nice status of any address.

Vulnerability Details

The checkList function in the SantasList contract does not use the onlySanta modifier or any other form of access control. This omission allows any external caller to modify the status of any address in the s_theListCheckedOnce mapping. The function is intended to be called exclusively by the Santa (contract owner or designated authority), but this flaw undermines this design principle.

Impact

This vulnerability exposes the contract to potential malicious activities where an unauthorized user can manipulate the status of other addresses in the naughty or nice list. Such an exploit can disrupt the intended functionality of the contract, leading to unfair distributions of rewards or penalties.

Tools Used

Manual

Recommendations

modify the checkList function to include the onlySanta modifier

function checkList(address person, Status status) external onlySanta {
require(person != address(0), "Invalid address");
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.