buy Function Does not Gift the PresentReciver any Gift
Summary
There is a vulnerability identified in the code. Specifically, within the buyPresent function, the burn function does nto reward the presentReceiver in any way while the caller mints an nft.
Vulnerability Details
The flaw can be located at line 173 in the santaList.sol contract. Any individual, even those without any santaTokens, can invoke the buyPresent function.But no reward is given to the presentReciever rather they have their tokens burnt. Subsequently, the caller of this function gains the ability to mint an NFT for free.
Impact
Calling the buyPresent function no reward is given to the presentReciever rather they have their santa tokens burnt. Therefore the presentReciever looses both the santa Token and the potential gift which isnt stated in the contract. The present Reciever looses their token while the caller mints an nft for free. This can be done multiple Times Provided they have the address of someone that owns a Santa Token
Tools Used
The identified issues were discovered through manual review and Invariant Testing.
Recommendations
An algorithm should be in place to reward the
presentReciveraddress (that is ensuring that they got the gifts for the tokens burn).
Lead Judging Commences
buyPresent should send to presentReceiver
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.