Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

Lack of access control in `checkList` function

Summary

Lack of access control in checkList function.

Vulnerability Details

Lack of access control can cause manipulating status.

function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}

This function should be callable only by santa.

Impact

Scenario:
Attacker can change his own status to nice and he will be rewarded with present.

Tools Used

Manual Review

Recommendations

-function checkList(address person, Status status) external {
+function checkList(address person, Status status) external onlySanta {
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.