First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

anyone is allowed to call checkList that isn't i_santa

n4thedev01

Summary

checkList() should only be callable by i_santa.

Vulnerability Details

anyone will be able to call this function that isn't i_santa.

Impact

  • malicious users can call as many times as they want, there is no limit.

  • users that have been checked as Naughty can modify it for themselves.

  • can cause problems for i_santa when calling checkTwice as it will keep reverting if i_santa has a choice for the user and the user modified it themselves in checkList.

Foundry test that shows anyone can call the function that isn't santa.

function testCheckListWithoutCallerBeingSanta() public {
vm.prank(address(10));
santasList.checkList(user, SantasList.Status.NICE);
assertEq(
uint256(santasList.getNaughtyOrNiceOnce(user)),
uint256(SantasList.Status.NICE)
);
}

Tools Used

Manual Review
Foundry tests

Recommendations

Currently in the SantasList.sol there is already a modifier created called onlySanta() which can be applied.

- function checkList(address person, Status status) external
+ function checkList(address person, Status status) external onlySanta
Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!