First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`Arbitrary address` have `NICE` status as default in both of the mapping which allows them to call `collectPresent` and collect the reward without any being checked twice by santa.

naman1729

Summary

  • An arbitrary address have NICE status as default in both of the mapping s_theListCheckedOnce and s_theListCheckedTwice which allows them to call collectPresent and collect the reward without any being checked twice by santa.

Vulnerability Details

  • As shown in the code below, enum with 4 values, NICE, EXTRA_NICE, NAUGHTY, NOT_CHECKED_TWICE. The default value of an enum is the first value, which is NICE. The mapping s_theListCheckedOnce and s_theListCheckedTwice are both mapping from address to Status. This means that an arbitrary address have NICE status as default in both of the mapping s_theListCheckedOnce and s_theListCheckedTwice which allows them to call collectPresent and collect the reward without any being checked twice by santa.

/*//////////////////////////////////////////////////////////////
TYPES
//////////////////////////////////////////////////////////////*/
enum Status {
@> NICE,
EXTRA_NICE,
NAUGHTY,
NOT_CHECKED_TWICE
}

  • POC, Here, Without checking user in both mapping, user have NICE status by default. Here, user is able to call collectPresent() function without being checked twice by santa. and collect the Present of NICE status i.e 1 SANTA(NFT) and 0 SantaToken.

function testCheckingArbitaryUserIsAbleToCollectPresents() public {
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
// Here, Without checking user in both mapping, user have NICE status by default
vm.startPrank(user);
assertEq(santasList.getNaughtyOrNiceOnce(user) == SantasList.Status.NICE, true);
assertEq(santasList.getNaughtyOrNiceTwice(user) == SantasList.Status.NICE, true );
// Here, user is able to call collectPresent() function without being checked twice by santa.
// and collect the Present of NICE status i.e 1 SANTA(NFT) and 0 SantaToken.
santasList.collectPresent();
assertEq(santasList.balanceOf(user), 1);
assertEq(santaToken.balanceOf(user), 0);
}

  • This is the output in the terminal when we run the test.

Click to see terminal
[⠒] Compiling...
[⠊] Compiling 1 files with 0.8.22
[⠒] Solc 0.8.22 finished in 2.81s
Compiler run successful!
Running 1 test for test/unit/SantasListTest.t.sol:SantasListTest
[PASS] testCheckingArbitaryUserIsAbleToCollectPresents() (gas: 97520)
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 22.09ms
Ran 1 test suites: 1 tests passed, 0 failed, 0 skipped (1 total tests)

Impact

  • Arbitrary address can call collectPresent and collect the reward of NICE status without any being checked twice by santa.

Tools Used

  • Manual Review

  • foundry

Recommendations

  • This is a simple fix, just change the order of the enum values so that the default value is NAUGHTY.

/*//////////////////////////////////////////////////////////////
TYPES
//////////////////////////////////////////////////////////////*/
enum Status {
- NICE,
+ NAUGHTY,
EXTRA_NICE,
- NAUGHTY,
+ NICE,
NOT_CHECKED_TWICE
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

default status is nice

In Solidity the first element of an enum is the default value. In Santa's List, the means each person is mapped by default to 'NICE'.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.