First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missed modifier anyone can call the `checkList` funciton

echospr

Summary

According to the documenation Only Santa should be allowed to call the checkList function

Vulnerability Details

The checkList function is an external function that is missing the onlySanta modifier

Impact

The checkList function is opened to anyone calling it, which means any random person can impersonate Santa and could be influencing santa to call the checktwice function in their favor.

Below you will find a test case showing that anyone can call the checkList function

Here is the function

function checkList(address person, Status status) external { <@ missing onlySanta modifier
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}

Here is the test showing that anyone can call the checkList function. You can add this test directly to SantasListTest.t.sol

function testCheckListAnyOne() public {
vm.prank(user);
santasList.checkList(user, SantasList.Status.NICE);
assertEq(uint256(santasList.getNaughtyOrNiceOnce(user)), uint256(SantasList.Status.NICE));
}

Tools Used

Foundry, manual

Recommendations

Add an onlySanta modifer to the above function

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.