First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Missing validation in `SantasList::buyPresent` allows receiver address to have more than one present

wafflemakr

Summary

Missing validation in SantasList::buyPresent allows receiver address to have more than one present

Vulnerability Details

SantasList::buyPresent is a function that allows any user to burn SantaTokens and mint NFT presents to a receiver address. An invariant for the protocol is An address is only allowed to collect 1 NFT per address but this function does not check if the receiver already has an NFT, therefore breaking the invariant.

PoC

function testBuyPresentAndEndWithTwo() public {
// claim present
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
vm.prank(user);
santasList.collectPresent();
// buy present
vm.startPrank(user);
deal(address(santaToken), user, 100e18);
santaToken.approve(address(santasList), 1e18);
santasList.buyPresent(user);
vm.stopPrank();
// check
assertEq(santasList.balanceOf(user), 2);
}

Output:

forge test --mt testBuyPresentAndEndWithTwo -vv
[⠒] Compiling...
No files changed, compilation skipped
Running 1 test for test/unit/SantasListTest.t.sol:SantasListTest
[PASS] testBuyPresentAndEndWithTwo() (gas: 273188)
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 3.75ms

Impact

HIGH, as there could be more than one NFT per address.

Tools Used

  • Manual Review

  • Foundry

Recommendations

Add a validation to check if the presentReceiver already has an NFT. Alternatively, create a mapping that stores which addresses have received NFT presents and block them to receive more.

Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.