BuyPresent function does not work as expected
Summary
The buyPresent function does not operate as expected.
Vulnerability Details
The comments to the function:
/*
* @notice Buy a present for someone else. This should only be callable by anyone with SantaTokens.
* @dev You'll first need to approve the SantasList contract to spend your SantaTokens.
*/
Code involved:
function buyPresent(address presentReceiver) external {
i_santaToken.burn(presentReceiver);
_mintAndIncrement();
}
function _mintAndIncrement() private {
_safeMint(msg.sender, s_tokenCounter++);
}
According to the comments, buyPresent should allow someone with SantaTokens to buy an NFT present for another address. Instead, this code allows for the msg.sender to burn the tokens of another address and receive the NFT themselves.
Impact
This could cause confusion and lead to loss of trust in the protocol.
Tools Used
Visual inspection.
Recommendations
This code can be altered to achieve the stated goal in the comments, for example:
function buyPresent(address presentReceiver) external {
i_santaToken.burn(msg.sender);
_mintAndIncrement(presentReceiver);
}
function _mintAndIncrement(address receiver) private {
_safeMint(receiver, s_tokenCounter++);
}
This would allow for the msg.sender to burn SantaTokens and then send an NFT to another address.
Lead Judging Commences
buyPresent should use msg.sender
Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.
buyPresent should send to presentReceiver
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.