First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`SantasList::checkList` Missing onlySanta modifier makes it callable by anyone.

bytecode

Summary

The SantasList::checkList function can be called by anyone which leads to the attacker being able to change someone's status and halt their rewards.

Vulnerability Details

@> function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}

Due to the missing onlySanta Modifier the attacker can call this function and update someone's status (let's say ALICE) who is NICE or maybe EXTRA_NICE to naughty. ALICE doesn't know about it. Now ALICE will not be able to receive the rewards when Santa will call the checkTwice function.

Impact

// here is the proof
address attacker = makeAddr("attacker");
address ALICE = makeAddr("alice");
function testCheckListCanbeCalledByAnyone() public {
vm.prank(santa);
santasList.checkList(ALICE, SantasList.Status.NICE);
vm.prank(attacker);
santasList.checkList(ALICE, SantasList.Status.NAUGHTY);
}

Tools Used

  • foundry

Recommendations

Use the onlySanta Modifier in checkList Function.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!