First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

The cost of a present is wrong

sobieski

Summary

As the documentation states, and the PURCHASED_PRESENT_COST constant variable indicates, the cost of a present is 2e18. However, the actual cost is 1e18.

Vulnerability Details

The documentation states that the cost of a present is 2e18. There is a constant variable in SantasList contract that confirms that:

uint256 public constant PURCHASED_PRESENT_COST = 2e18;

However, this constant variable is not used anywhere. The SantasList::buyPresent() method calls the SantaToken::burn() method, which looks as follows:

function burn(address from) external {
if (msg.sender != i_santasList) {
revert SantaToken__NotSantasList();
}
_burn(from, 1e18);
}

The actual amount of tokens burnt - and therefore the present's price - is 1e18. This is a serious issue as the price is only half of what was intended.

Impact

The actual price of present is only half of the intended value.

Tools Used

Manual review

Recommendations

Change the burn amount in SantaToken::burn() method to the correct value of 2e18.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Price is not enforced in buyPresent

This line indicates that the intended cost of presents for naughty people should be 2e18: https://github.com/Cyfrin/2023-11-Santas-List/blob/6627a6387adab89ae2ba2e82b38296723261c08a/src/SantasList.sol#L87 PURCHASE_PRESENT_COST should be implemented to enforce the cost of presents.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.