NOT_CHECKED_TWICE status is never shown for any address
Summary
All users will be declared as NICE by default, for being the first status that appears in the 'Status' enum. The status by default should be NOT_CHECKED_TWICE, logically. The NOT_CHECKED_TWICE is never used as is not set by default and it cannot be set by using any function.
Vulnerability Details
Declaring all users as NICE will allow them to claim for their present when Christmas arrives, even if they are do not deserve it. For this not to happen, the CheckList() function needs to be called on somebody so as to change their status and prevent them from getting the present they do not deserve. Santa could also call the checkTwice() function to get the status second check changed. This action would need to be taken for every single address, which means a lot of work to be done.
Impact
The impact is not medium because it does not steal or lock other users' tokens, but it allows to get presents (ERC721 tokens) for those who do not deserve them. Increasing the supply of tokens in the market will make their value decrease; nice people would get a value reduction because of the naughty ones.
Tools Used
Recommendations
In the Status enum, NOT_CHECKED_TWICE must be the first status:
enum Status{
NOT_CHECKED_TWICE,
NICE,
EXTRA_NICE,
NAUGHTY,
}
Lead Judging Commences
default status is nice
In Solidity the first element of an enum is the default value. In Santa's List, the means each person is mapped by default to 'NICE'.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.