A hacker can set up a bot to listen for Approval events from SantaToken, to wait for a user to give approval to SantasList to immediately send a transaction to spend the approved tokens to get a NFT.
The flow between SantasList::buyPresent
and SantasList::_mintAndIncrement
assume msg.sender
and presentReceiver
are the same accounts, but this open the window for a hacker to plan the following attack:
Set up bot and listen for Approval events from SantaToken
After a user approves SantasList, Approval event is emitted and picked up by the bot
Hacker sends a transaction to call SantasList::buyPresent
with user
set as presentReceiver
users
's tokens will be burnt and hacker gets a NFT
Approved tokens can be spent by any account to buy NFTs.
Paste the following test in SantasListTest.t.sol
to test the vulnerability.
Foundry and VS Code.
Update SantasList::buyPresent
and SantasList::_mintAndIncrement
as such:
In this way the buyer must have a balance of SantaToken to afford the purchase.
Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.