First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Access control in the function checkList which allows anyone to check users once

0xdark1337

Summary

The function checkList() has missing access control modifier which onlySanta can check the address of the user to any of the given characteristics. Therefore, any user can check the address of the user once to any of the characteristics.

Vulnerability Details

The following function which is responsible for checking the address of the user has missing access control,

function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}

Impact

Since anyone can check the user once by calling the checkList() function, single user can check multiple address of his/her own to NICE or EXTRA NICE to get the reward from the contract.
The following Poc demonstrates any user can check the address of user,

function testCheckList2() public {
vm.prank(user);
santasList.checkList(user2, SantasList.Status.NAUGHTY);
assertEq(uint256(santasList.getNaughtyOrNiceOnce(user2)), uint256(SantasList.Status.NAUGHTY));
}

Tools Used

Manual Analysis, Foundry

Recommendations

Add modifier onlySanta to the fuction checkList(),

+ function checkList(address person, Status status) external onlySanta {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.