Users can claim prizes without being checked
Summary
A person is supposed to be able to claim their prizes if they were NICE or EXTRA_NICE, which is supposed to be determined by Santa with a double check.
A user who sees that Santa will his status to less than NICE could front-run him and claim his rewards anyway.
Vulnerability Details
Due to the way solidity works, whenever we initialize the mapping address->enum, every user will start of with a status of NICE on both mappings, since in solidity the default value for an enum is the first element, in our case NICE. If a user sees that Santa will reduce their status, they know for sure they would not be able to get their presents, so they can front-run him and claim their NFT, since the checks for s_theListCheckedOnce[msg.sender] == Status.NICE && s_theListCheckedTwice[msg.sender] == Status.NICE would pass.
Impact
Users can simply mint themselves tokens in the event that they would be deemed NAUGHTY
Tools Used
Manual Review
Recommendations
Change the enum of statuses, so that the first element is one that would not allow users to act before Santa. Either swap it for NAUGHTY or add something like NOT_CHECKED
Lead Judging Commences
default status is nice
In Solidity the first element of an enum is the default value. In Santa's List, the means each person is mapped by default to 'NICE'.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.