First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

'SantasList.sol::checkList' can be called by anyone

coffee

Summary

The 'SantasList.sol::checkList' function can be called by anyone and not just Santa.

Vulnerability Details

Because the 'SantasList.sol::checkList' function is missing the onlySanta modifier, anyone can call the function and set their status on the s_theListCheckedOnce mapping.

Impact

The below test passes as true showing that anyone can call the checkList function.

function testAnyoneCanCheckList() public {
vm.prank(user);
santasList.checkList(user, SantasList.Status.NICE);
assertEq(uint256(santasList.getNaughtyOrNiceOnce(user)), uint256(SantasList.Status.NICE));
}

Tools Used

--Foundry

Recommendations

It is recommended to add the onlySanta modifier to prevent anyone other than Santa from being able to call the function.

+ function checkList(address person, Status status) external onlySanta {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.