First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing access control, anyone can update s_theListCheckedOnce

0xbjorn

Summary

The SantasList::checkList function in the SantasList.sol contract does not have proper access control. This function is intended to be called only by the santa address, but currently, any address can call it.

Impact

This issue could allow an unauthorized address to manipulate the status of any person in the list, potentially leading to incorrect statuses being assigned.

Tools Used

Manual review

Recommendations

To resolve this issue, a modifier that restricts function access to only the santa address should be added to the checkList function. This can be achieved by using the onlySanta modifier which is already defined in the contract.

Here's how the updated checkList function would look:

- function checkList(address person, Status status) external {
+ function checkList(address person, Status status) external onlySanta {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}

This change ensures that only the santa address can call the checkList function, providing the necessary access control.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.