Submission Details
Severity:
Function Checklist() does not have a restricted call.
Summary
Function checkList should only be callable by santa. Instead it is an unrestricted function that anyone can call.
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}```
## Vulnerability Details
This external call should be only callable by Santa but, but can be called by anyone.
## Impact
Anyone can add an address / malicious contract and status to SantasList. They can also change the Status of previously enter address for example : NAUGHTY -> EXTRA NICE. They can also add as many address as they want as it is unrestricted.
## Tools Used
HardHat
## Recommendations
add the "santaOnly" Modifier to this function
```function checkList(address person, Status status) external onlySanta {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}```
Updates
Lead Judging Commences
inallhonesty
about 2 years ago
inallhonesty about 2 years ago
Submission Judgement Published Assigned finding tags:
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
nSLOC
116This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.