First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

SantasList buyPresent() is not able t

n4thedev01

Summary

buyPresent() burns the presentReceiver address tokens but if the presentReceiver is not the msg.sender then it will attempt to burn the presentReceiver's tokens - very likely the presentReceiver does not have any SantaToken's so it would revert and presentReceiver would never receive there present.

Vulnerability Details

buyPresent will only work if someone is buying themselves a present, it will not work for buying someone else unless that someone else has enough SantaToken's already.

function testBuyPresentWillNotWorkForBuyingSomeoneElseAPresent() public {
vm.startPrank(address(santasList));
santaToken.mint(user);
vm.stopPrank();
vm.startPrank(user);
vm.expectRevert();
santasList.buyPresent(address(10));
vm.stopPrank();
}

Impact

  • People will be able unable to buy Someone Else a present.

  • Malicious users who know others have SantaToken could call this function and empy that persons SantaToken's.

Tools Used

Manual Review
Foundry Test

Recommendations

function buyPresent(address presentReceiver) external {
- i_santaToken.burn(presentReceiver);
+ i_santaToken.burn(msg.sender);
_mintAndIncrement();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

buyPresent should use msg.sender

Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.