Users can claim rewards even if they were not checked
Summary
In the Santa's List protocol, users can claim rewards if they were checked twice by Santa and determined to be NICE or EXTRA_NICE. Two mappings are used to determine that - s_theListCheckedOnce and s_theListCheckedTwice. The problem is that the default value for any address in those mappings is NICE. Therefore anyone can claim their rewards before they are checked by Santa.
Vulnerability Details
The SantasList::collectPresent() method contains the following check:
The sender's address is used to look up the status in two mappings - s_theListCheckedOnce and s_theListCheckedTwice, which are defined as follows:
The issue lays in the definition of enum Status:
When the two mappings are initialized, the value for each address is the default value for enum - the first value in enum's definition. As one can see in the enum's definition, the default value for Status is NICE.
That means that any address by default is already "checked twice" and has the status of NICE. Even if a user has not been checked by Santa, by default their are eligible for claiming the NFT.
Impact
Users can claim NFT even if they were not checked by Santa.
Tools Used
Manual review.
Recommendations
Make the NOT_CHECKED_TWICE the default value for enum Status.
Lead Judging Commences
default status is nice
In Solidity the first element of an enum is the default value. In Santa's List, the means each person is mapped by default to 'NICE'.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.