checkList function not restricted to santa
Summary
As stated in the contest details, it is clear that only Santa should access the checkList and checkTwice functions. However, only the checkTwice function currently has a restriction on which addresses can execute it.
Vulnerability Details
The vulnerability arises because the checkList function lacks access control. Any user can execute this function, and since its purpose is to attribute a status to an address in the s_theListCheckedOnce list, inappropriate use of this function could undermine the status control (which should be managed solely by Santa). This could consequently affect token distributions. An external user (a potential exploiter) can set their own status to NICE or EXTRA_NICE without Santa's approval. Furthermore, they can change other users' statuses, preventing them from collecting their rightful tokens.
Impact
This vulnerability has a severe impact, as it could lead to a complete loss of credibility in Santa's list by wrongly attributing NICE and EXTRA_NICE statuses to exploiters and by "revoking" (modifying) the statuses of other users who were correctly assigned. Additionally, it could cause an artificial scarcity of mintable NFTs and tokens by blocking the rightful addresses from collecting them.
Tools Used
Manual Code Review
Recommendations
Include the same onlySanta modifier used in the checkTwice function in the checkList function:
Lead Judging Commences
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.