First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Naughty users buy present for lesser price

Jaydhales

Summary

When naughty users buy present, they buy it for rather thanPURCHASED_PRESENT_COST` (2e18).

Vulnerability Details

When naughty interact with SantaList.buyPresent, they are supposed to pay PURCHASED_PRESENT_COST. This amount is burnt with i_santaToken.burn. the burn function does not make use of this constant when calling _burn, It uses a defined cost in the function.

Impact

Users mint for half the price.

Tools Used

Manual Review.

Recommendations

Function burn should take in an amount to burn as parameter. buyPresent can call this with PURCHASED_PRESENT_COST.

  • SantaToken.sol

function burn(address from, uint amount) external {
if (msg.sender != i_santasList) {
revert SantaToken__NotSantasList();
}
_burn(from, amount);
}

  • SantasList.sol

function buyPresent(address presentReceiver) external {
i_santaToken.burn(presentReceiver, PURCHASED_PRESENT_COST);
_mintAndIncrement();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Price is not enforced in buyPresent

This line indicates that the intended cost of presents for naughty people should be 2e18: https://github.com/Cyfrin/2023-11-Santas-List/blob/6627a6387adab89ae2ba2e82b38296723261c08a/src/SantasList.sol#L87 PURCHASE_PRESENT_COST should be implemented to enforce the cost of presents.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.