Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

Everybody is allowed to check himself once

Summary

The function SantasList.checkList() does not have the onlySanta check which allows every user to call it.

Vulnerability Details

Each user can add himself to the s_theListCheckedOnce using a call to the function SantasList.checkList() which is unprotected.

Impact

The impact is low, because Santa checks everybody anyway and overwrites the status if there is one already.

Tools Used

Manual code review.

Recommendations

Add the onlySantamodifier to the function SantasList.checkList().
And here's a test for this:

function testCheckListAsUser() public {
vm.prank(user);
vm.expectRevert(SantasList.SantasList__NotSanta.selector);
santasList.checkList(user, SantasList.Status.NICE);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.