Submission Details
Severity:
buyPresent() not spending callers tokens
Summary
The buyPresent() function burning the tokens of the receiver and minting the NFT to the msg.sender
Vulnerability Details
The buyPresent() function can be used to buy a present for someone, but it will try to burn that person's tokens.
The following test will fail as it tries to burn tokens of the receiver.
function testBuyPresent() public {
// mig test without this block
vm.startPrank(santa);
santasList.checkList(user, SantasList.Status.EXTRA_NICE);
santasList.checkTwice(user, SantasList.Status.EXTRA_NICE);
vm.stopPrank();
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
vm.startPrank(user);
santaToken.approve(address(santasList), 1e18);
santasList.collectPresent();
santasList.buyPresent(santa);
assertEq(santasList.balanceOf(user), 1);
assertEq(santaToken.balanceOf(user), 1e18);
vm.stopPrank();
}
Impact
Users can loose funds.
Tools Used
Recommendations
The buyPresent() function should be changed so that it burns the tokens of the msg.sender.
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
buyPresent should use msg.sender
Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.
Rewards breakdown
nSLOC
116This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.