First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`SantasList::checkList` Missing onlySanta modifier makes it callable by anyone.

bytecode

Summary

The SantasList::checkList function can be called by anyone which leads to the attacker being able to change someone's status and halt their rewards.

Vulnerability Details

@> function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}

Due to the missing onlySanta Modifier the attacker can call this function and update someone's status (let's say ALICE) who is NICE or maybe EXTRA_NICE to naughty. ALICE doesn't know about it. Now ALICE will not be able to receive the rewards when Santa will call the checkTwice function.

Impact

// here is the proof
address attacker = makeAddr("attacker");
address ALICE = makeAddr("alice");
function testCheckListCanbeCalledByAnyone() public {
vm.prank(santa);
santasList.checkList(ALICE, SantasList.Status.NICE);
vm.prank(attacker);
santasList.checkList(ALICE, SantasList.Status.NAUGHTY);
}

Tools Used

  • foundry

Recommendations

Use the onlySanta Modifier in checkList Function.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.