checkList() function skips onlySanta modifier
Summary
checkList() function is supposed to be callable only by Santa, but the modifier onlySanta is missing.
Vulnerability Details
checkList() function is callable by any user, which allows anybody to change the status of the first list of any other person.
Impact
The status from the first list is required for Santa to confirm that status in the second list and when the user tries to collect their present. If this status is changed, Santa will not be able to confirm the user's real status for them to get (or not) a present. It could prevent users from getting the present they actually deserve. If somebody's status is changed after Santa has really confirmed it in the second list, they can call the checkList() function on themselves in order to be declared with their real status.
Tools Used
Recommendations
The function checkList() should have 'onlySanta' modifier:
function checkList(address person, Status status) external onlySanta{
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Lead Judging Commences
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.