First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Validation on `SantasList::checkList` allows random address to set status

wafflemakr

Summary

Missing Validation on SantasList::checkList allows random address to set status

Vulnerability Details

SantasList::checkList is missing the onlySanta modifier, allowing any malicious users to set status for a random person. Additionally, people that already have the NICE and EXTRA_NICE status, can be updated to NAUGHTY, removing their rights to collect and buy presents.

PoC

function testRandomAddressCheckOne() public {
// any user can call check list, apart from santa
vm.expectEmit(false, false, false, true);
emit CheckedOnce(user, SantasList.Status.EXTRA_NICE);
vm.prank(user);
santasList.checkList(user, SantasList.Status.EXTRA_NICE);
// check status
assertTrue(santasList.getNaughtyOrNiceOnce(user) == SantasList.Status.EXTRA_NICE);
}

Output:

forge test --mt testRandomAddressCheckOne
[⠒] Compiling...
No files changed, compilation skipped
Running 1 test for test/unit/SantasListTest.t.sol:SantasListTest
[PASS] testRandomAddressCheckOne() (gas: 37854)
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 2.32ms

Impact

HIGH. Breaks protocol goals.

Tools Used

  • Manual Review

Recommendations

Add onlySanta modifier to SantasList::checkList.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!