Missing access control check in `SantasList::checkList()` allows the attacker to prevent the users from claiming rewards
Summary
In the contradiction to the documentation and comments, which state that only Santa can check the list once, anyone is able to call the SantasList::checkList() method due to the missing access control check.
Vulnerability Details
The SantasList::checkList() looks as follows:
The onlySanta modifier is missing from the function. Therefore anyone will be able to call it.
The impact of this vulnerability is quire severe, as the attacker can block anyone from claiming their rewards. In order to claim the rewards, one has to be checked twice and receive the NICE or EXTRA_NICE status. The attacker can simply override the contents of s_theListCheckedOnce for a particular address, changing their status to NAUGHTY or NOT_CHECKED_TWICE, effectively blocking them from claiming any rewards.
Impact
Users can be blocked from claiming rewards.
Tools Used
Manual review
Recommendations
Add the onlySanta modifier to the SantasList::checkList() :
Lead Judging Commences
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.