Submission Details
Severity:
Missing Permission Modifier on `SantasList::checkList` so anyone can set `Status`
Summary
The SantasList::checkList function is missing the onlySanta() modifier. Instead of just Santa, anyone can change the Status of s_theListCheckedOnce.
Vulnerability Details
function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Above function should have the modifier onlySanta(), so that the modification of s_theListCheckedOnce is restricted.
Impact
function testCheckListAnyoneCanModifiy() public {
// user who is not santa
vm.prank(user);
santasList.checkList(user, SantasList.Status.NICE);
vm.stopPrank();
assertEq(uint256(santasList.getNaughtyOrNiceOnce(user)), uint256(SantasList.Status.NICE));
}
Test proofs that anyone can call function and modify status of a specific user.
Tools Used
foundry
Recommendations
Add modifier onlySanta() to function SantasList::checkList.
Updates
Lead Judging Commences
inallhonesty about 2 years ago
Submission Judgement Published Assigned finding tags:
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
nSLOC
116This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.