the cost of the NFT via the buyPresent function is wrong - lower profit in the mint
Summary
Reading the documentation you understand that the cost should be 2e18 instead of 1e18: buyPresent: A function that trades 2e18 of SantaToken for an NFT. This function can be called by anyone..
But the SantaToken::burn has the wrong amount.
Vulnerability Details
The cost of using the SantasList::buyPresent feature should be 2e18 instead of 1e18, so your profit will be halved.
In the SantasList code there is a constant PURCHASED_PRESENT_COST (which is not used) that should be used in the SantaToken contract.
Impact
The profit from the sale of NFTs through tokens will have a halved profit.
Tools Used
Manual review
Recommendations
The SantaToken::burn function needs to be modified by changing the amount of tokens to burn, using the constant SantasList::PURCHASED_PRESENT_COST that was mistakenly placed in the SantasList contract.
So, in SantasList we need to remove the constant
and move it inside the SantaToken contract, after that we update the burn function
Lead Judging Commences
Price is not enforced in buyPresent
This line indicates that the intended cost of presents for naughty people should be 2e18: https://github.com/Cyfrin/2023-11-Santas-List/blob/6627a6387adab89ae2ba2e82b38296723261c08a/src/SantasList.sol#L87 PURCHASE_PRESENT_COST should be implemented to enforce the cost of presents.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.