Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

buyPresent is callable by anyone and present can be sent to msg.sender

Summary

buyPresent is callable by anyone and presentReceiver can be the person that burnt the tokens. According to Santa only naughty people can call it.

Vulnerability Details

Anyone can burn their Santa tokens and mint a present for themselves or others.

Impact

Santa's punishment for naughty people is mitigated. And everyone can buy a present for themselves.

Here is an example:

function test_anyoneCanCallBuyPresent() public {
// set user as EXTA_NICE
vm.startPrank(santa);
santasList.checkList(user, SantasList.Status.EXTRA_NICE);
santasList.checkTwice(user, SantasList.Status.EXTRA_NICE);
vm.stopPrank();
vm.startPrank(user);
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
santasList.collectPresent();
santasList.buyPresent(user);
santaToken.balanceOf(user);
assertEq(santasList.balanceOf(user), 2);
vm.stopPrank();
}

Tools Used

Manual Review

Recommendations

Include a check if s_theListCheckedOnce[msg.sender] == Status.NAUGHTY && s_theListCheckedTwice[msg.sender] == Status.NAUGHTY & (presentReceiver != msg.sender) if not revert for both of them.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

buyPresent should use msg.sender

Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.