First Flight #5: Santa's List

First Flight #5

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing Access Modifier in checkList Allows Malicious Actors to Block Users from Claiming Presents

forkforkdog

Summary

Bots (or other sophisticated players) can change SantasList::Status of the user to NAUGTY immediately after Santa sets status of the user to NICE, thus making users ineligible for claiming presents.

Vulnerability Details

Function checkList(address person, Status status) has no access control, so anybody can change users status.

// * Only callable by santa

function checkList(address person, Status status) @> external {

s_theListCheckedOnce[person] = status;

emit CheckedOnce(person, status);

}

Impact

As coming from comments, checkList() should be callable only by Santa, which is not the case.

@> function checkList(address person, Status status) external {

s_theListCheckedOnce[person] = status;

emit CheckedOnce(person, status);

}

An attacker can use a bot that will:

Wait for Santa to change the status of a user to eligible, e.g., NICE or EXTRA_NICE
Immideately send following transaction to change status back to NAUGHTY
User transactions for claiming his presents will revert
Any further attempts to change back the Status by non-sophisticated players will be backrunned by bot

Foundry PoC below:

function test_MEVgriefing() public {

vm.startPrank(santa);

santasList.checkList(user, SantasList.Status.EXTRA_NICE);

santasList.checkTwice(user, SantasList.Status.EXTRA_NICE);

vm.stopPrank();

//Naughty Grinch's MEV bot sends transaction immediately after Santa

vm.startPrank(grinch);

santasList.checkList(user, SantasList.Status.NAUGHTY);

vm.stopPrank();

vm.startPrank(user);

vm.expectRevert(); //user fails to claim presents

santasList.collectPresent();

}

Full test on GitHub repo fork

Tools Used

Foundry

Recommendations

Add access modifier

function checkList(address person, Status status) external onlySanta {

s_theListCheckedOnce[person] = status;

emit CheckedOnce(person, status);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Rewards breakdown

nSLOC

116

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.