Non SantaTokens holders can call `buyPresent`, potentially resulting in negative balances & an unintended reduction in the total supply of SantaTokens
Summary
A critical vulnerability was identified in the SantsList::buyPresent function. The function allows burning tokens without properly checking whether the caller holds SantaTokens. This omission can lead to unintended consequences, including negative balances and a reduction in the total supply of SantaTokens.
Vulnerability Details
Function: burn(address from)
The buyPresent function allows unauthorized callers to burn tokens without verifying SantaTokens ownership, potentially leading to negative balances and a decrease in total supply.
Impact
The absence of a check for SantaTokens holders in the buyPresent function allows any address to call the function, potentially resulting in negative balances and an unintended reduction in the total supply of SantaTokens.
Tools used
Manual review
Recommendations
Add SantaTokens Holder Check:
Implement a check in the burn function to ensure that the caller (msg.sender) holds SantaTokens before allowing the burning process. This can be achieved by verifying the balance of SantaTokens for the specified address.
Lead Judging Commences
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.