First Flight #5: Santa's List

First Flight #5

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`SantasList:: checkList` lack of access control, anybody can call it to get desired status. Using of this list by santa will get unfair advantage to the caller to get nft and token.

abhishekthakur

Summary

Lack of access control on checkList function will cause unfair advantage to get any status.

Vulnerability Details

checkList function is first step to get nft / token reward. As per Natspec documentation of said function, it should be called by i_santa only. but current version lacks of access control for it. so anybody can call it and get desired status. If same list is used by santa for checkTwice then attacker will get rewards that he doesn't supposed to be.

POC

in the existing test suit, we can verify it by adding following function

function testCheckListPublic() public {

vm.prank(user);

santasList.checkList(user, SantasList.Status.EXTRA_NICE);

assertEq(uint256(santasList.getNaughtyOrNiceOnce(user)), uint256(SantasList.Status.EXTRA_NICE));

}

Then run following command in your vscode forge test --match-test testCheckListPublic -vv
it will print following, showing that it's passed

[⠢] Compiling...

[⠃] Compiling 2 files with 0.8.22

[⠒] Solc 0.8.22 finished in 1.73s

Compiler run successful!

Running 1 test for test/unit/SantasListTest.t.sol:SantasListTest

[PASS] testCheckListPublic() (gas: 15992)

Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 6.02ms

Ran 1 test suites: 1 tests passed, 0 failed, 0 skipped (1 total tests)

Impact

Unfair advantage over rewards

Tools Used

Manual Review, Foundry

Recommendations

User onlySanta modifier for the function, which is already declared in the contract.
Correct version should look like this.

function checkList(address person, Status status) external onlySanta {

s_theListCheckedOnce[person] = status;

emit CheckedOnce(person, status);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Rewards breakdown

nSLOC

116

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.