Can collectPresent() more than 24 hours after Christmas
Summary
A user can collectPresent() more than 24 hours after Christmas, contrary to
//This should not be callable until Christmas 2023 (give or take 24 hours)
Vulnerability Details
if (block.timestamp < CHRISTMAS_2023_BLOCK_TIME) { revert SantasList__NotChristmasYet(); }
In this check only block.timestamps before christmas are reverted. Any timestamp after passes the check.
POC:
``
function testCollectPresentMonthsAfterChristmas() public {
vm.startPrank(santa);
santasList.checkList(user, SantasList.Status.NICE);
santasList.checkTwice(user, SantasList.Status.NICE);
vm.stopPrank();
//average block time for ethereum is ~12 seconds
//approx (24*60*60/12) = 7200 blocks a day
//1 month approx equal to: 7200*30 = 216,000 blocks
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 216000);
vm.startPrank(user);
vm.expectRevert();
santasList.collectPresent();
assertEq(santasList.balanceOf(user), 1);
vm.stopPrank();
}
``
test fails as the user can successfully collect their present a ~month after christmas.
Impact
Users can claim presents for an indefinite amount of time after christmas has passed.
Tools Used
manual check
Recommendations
to fix this vulnerability and the other submitted 'Cannot collectPresent() less than 24 hours before Christmas', change code to:
if (block.timestamp < CHRISTMAS_2023_BLOCK_TIME - 7200 || block.timestamp > CHRISTMAS_2023_BLOCK_TIME + 7200) { revert SantasList__NotChristmasYet(); }
Lead Judging Commences
collectPresent is callable after Christmas
check on block.timestamp only requires that christmas has arrived. The protocol explicitly states that after christmas has passed (give or take 24 hours) collecting shouldn't be possible.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.