Any user can call checkList()
Summary
Any user can call checkList(), the onlySanta modifier is not used in this case.
Vulnerability Details
Allows an arbitrary user to 'check' any user, as anyone can call the function. For example one could check themselves as NICE or EXTRA NICE, or change the status of other users to NAUGHTY.
An attacker could make a checkList() call after santas checkList() call, to change other addresses status' so when santa calls checkTwice(), the function would revert with SantasList__SecondCheckDoesntMatchFirst();
Impact
Breaks the intended function of the contract. Anyone can change anyones' status on the first list, so by extension, breaks the checkTwice() function as the data in s_theListCheckedOnce cannot be known to be true.
An attacker could continuously change users status' to NAUGHTY to ensure nobody is eligible for the NFT and santa tokens.
Tools Used
manual check
Recommendations
add the onlySanta modifier to the checkList() function.
Lead Judging Commences
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.