Can mint unlimited tokens and NFTs. Incorrect balance check.
Summary
It is possible to mint an unlimited amount of tokens and NFTs through SantasList::collectPresent due to a vulnerable AlreadyCollected check.
Vulnerability Details
Users who are Status.NICE can mint unlimited amounts of tokens and users with Status.Extra_Nice can mint an unlimited amount of tokens AND NFTs by calling SantasList::collectPresent. Then transfer the claimed tokens to another account, after that SantasList::collectPresent can be called again.
It should only be possible to collect the present once, however the contract checks the balance of tokens for the user as an access control which gets invalidated if the attacker simply transfers the tokens to another address.
Impact
Unlimited minting is possible
Tools Used
Manual review
Recommendations
Add a mapping of users who have claimed and check this mapping instead of balanceOf(msg.sender)
Lead Judging Commences
Weak Already Collected Check
Relying on balanceOf > 0 in collectPresent() allows the msg.sender to send their present to another address and then collect again.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.