First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

'SantasList.sol::checkList' can be called by anyone

coffee

Summary

The 'SantasList.sol::checkList' function can be called by anyone and not just Santa.

Vulnerability Details

Because the 'SantasList.sol::checkList' function is missing the onlySanta modifier, anyone can call the function and set their status on the s_theListCheckedOnce mapping.

Impact

The below test passes as true showing that anyone can call the checkList function.

function testAnyoneCanCheckList() public {
vm.prank(user);
santasList.checkList(user, SantasList.Status.NICE);
assertEq(uint256(santasList.getNaughtyOrNiceOnce(user)), uint256(SantasList.Status.NICE));
}

Tools Used

--Foundry

Recommendations

It is recommended to add the onlySanta modifier to prevent anyone other than Santa from being able to call the function.

+ function checkList(address person, Status status) external onlySanta {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!