Missing safety modifier allows any user to call function
Summary
The checkList function can be called by any user.
Vulnerability Details
The code involved:
function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
The comment states that this function is only callable by Santa. This is not correct. Any user can call this function.
Impact
Any user can call this function and change the status of an address in the s_theListCheckedOnce mapping. This could result in any user being able to change the status of any other address in the enum. An attacker could mark themselves as NICE or EXTRA_NICE and thus steal funds.
Tools Used
Visual inspection.
Recommended Mitigation
Add the onlySanta modifier to this function. For example:
function checkList(address person, Status status) external onlySanta {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Lead Judging Commences
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.