First Flight #5: Santa's List

Summary

The collectPresent function in the SantasList smart contract is susceptible to a vulnerability where a user classified as "NAUGHTY" can set their own status to "NICE" using the checkList function. Subsequently, this user can exploit the Christmas present collection mechanism, as the collectPresent function does not sufficiently validate the authenticity of the "NICE" status.

Vulnerability Details

1. Lack of Access Control in checkList:

   • The checkList function lacks proper access control, allowing any address to set its own status to "NICE" or "NAUGHTY."

2. Unchecked Self-Setting of Status:

   • A user classified as "NAUGHTY" can set their own status to "NICE" or "EXTRA_NICE" using the checkList function.

3. Exploitable Logic in collectPresent:

   • The collectPresent function relies on the results of the checkList and checkTwice functions to determine eligibility for present collection.

   • The vulnerability allows a user to manipulate their own status and successfully pass the checks in collectPresent, leading to the unintended issuance of presents.

Impact

The impact of this vulnerability includes:

• Unauthorized Present Collection: A user can illegitimately collect presents (NFTs) by manipulating their own status, violating the intended logic of the Christmas present distribution.

Tools Used

• Manual Review

Recommendations

1. Access Control in checkList:

   • Implement proper access control in the checkList function to restrict modification of user statuses to authorized entities only.

2. Thorough Validation in collectPresent:

   • Enhance the validation logic in the collectPresent function to verify the authenticity of the "NICE" status by checking against a trusted data source or introducing a more secure mechanism.