Summary

The buyPresent function does not have any restrictions for the msg.sender to be the designated Santa. This means that any address, including Santa, can call this function and buy presents for others, potentially deviating from the intended behavior described in the documentation.

Vulnerability Details

The buyPresent function allows any address, including Santa, to call it and purchase presents for others without any restriction.
And as explained in the protocol, it’s OK if Santa mints SantaToken, he could buy all the presents in this case.

According to the documentation, it is not intended for Santa to be able to buy presents for anyone he wants (and especially him). The desired behavior is for only regular users to be able to buy presents for others. However, due to the lack of a restriction, Santa can invoke this function and buy all the presents after minting SantaTokens (Santa’s minting is tolerate by the protocole).

Foundry PoC

Impact

Protocol is Ok for Santa’s minting tokens, which can be in the future a High vulnerability.
Currently Santa can only (without exploiting other vulnerabilities), buy presents if others send him tokens, or if he set himself as Extra-Nice and collect tokens. In the last case, he could only buy one present.

Tools Used

Manual review

Recommendations

To address the lack of restriction for Santa in the buyPresent function, it is recommended to add a check to ensure that only regular users can call this function, and Santa is restricted from buying presents for him or others. This can be done by incorporating a modifier or an additional conditional statement. Here is an example using a modifier: