Burn internal function should be sender address not presentReciever
Summary
There is a vulnerability identified in the code. Specifically, within the santaList::buyPresent function, the burn function is incorrectly set to burn the balance of the presentReceiver address rather than the caller (msg.sender) address. Consequently, burning the balance of the presentReciever.
Vulnerability Details
The flaw can be located at line 173 in the santaList.sol contract. Any individual, even those without any santaTokens, can invoke the buyPresent function. Additionally, at line 175, the tokens being burnt should correspond to the address of the caller rather than the presentReceiver address. Subsequently, the caller of this function gains the ability to mint an NFT for free.
Impact
The santaList::buyPresent function allows anyone to burn another person's tokens without possessing any tokens themselves, attempting to burn the tokens associated with the presentReceiver address. However, the burn function would burn the presentReceiver santaTokens. The presentReciever looses their token while the caller mints an nft for free. This can be done multiple Times Provided they have the address of someone that owns a Santa Token
Tools Used
The identified issues were discovered through manual review and Invariant Testing.
Recommendations
Correct line 175 to invoke the
burnfunction using the address of the caller (msg.sender) rather than thepresentReceiveraddress.
Lead Judging Commences
buyPresent should use msg.sender
Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.