First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

anyone is allowed to call checkList that isn't i_santa

n4thedev01

Summary

checkList() should only be callable by i_santa.

Vulnerability Details

anyone will be able to call this function that isn't i_santa.

Impact

  • malicious users can call as many times as they want, there is no limit.

  • users that have been checked as Naughty can modify it for themselves.

  • can cause problems for i_santa when calling checkTwice as it will keep reverting if i_santa has a choice for the user and the user modified it themselves in checkList.

Foundry test that shows anyone can call the function that isn't santa.

function testCheckListWithoutCallerBeingSanta() public {
vm.prank(address(10));
santasList.checkList(user, SantasList.Status.NICE);
assertEq(
uint256(santasList.getNaughtyOrNiceOnce(user)),
uint256(SantasList.Status.NICE)
);
}

Tools Used

Manual Review
Foundry tests

Recommendations

Currently in the SantasList.sol there is already a modifier created called onlySanta() which can be applied.

- function checkList(address person, Status status) external
+ function checkList(address person, Status status) external onlySanta
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.