Submission Details
Severity:
`SantaList.checklist` is permissionless
Summary
SantaList.checklist can be called by anyone.
Vulnerability Details
The comment states that checkList() is only callable by santa. But there are no checks to prevent others from calling this function. This means anyone can change s_theListCheckedOnce.
Impact
Prevent the second checkList checkTwice from passing. Also prevent user from collecting presents by changing s_theListCheckedOnce.
Test:
function testHackCheckList() public {
vm.prank(user);
santasList.checkList(user, SantasList.Status.EXTRA_NICE);
assertEq(uint256(santasList.getNaughtyOrNiceOnce(user)), uint256(SantasList.Status.EXTRA_NICE));
}
Traces
[35868] SantasListTest::testHackCheckList()
├─ [0] VM::prank(user: [0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D])
│ └─ ← ()
├─ [24111] SantasList::checkList(user: [0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D], 1)
│ ├─ emit CheckedOnce(person: user: [0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D], status: 1)
│ └─ ← ()
├─ [690] SantasList::getNaughtyOrNiceOnce(user: [0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D]) [staticcall]
│ └─ ← 1
└─ ← ()
Tools Used
Manual review, Foundry
Recommendations
Add onlySanta modifier to function.
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
nSLOC
116This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.