Summary

ThebuyPresent function in the SantaList contract lacks a clear payment logic. Instead of the usual transactional flow where buyer's tokens are exchanged for goods, the function directly burns SantaTokens form the presentReceivers account. This setup does not involve any explicit transaction or exchange from the caller's(buyer's) account.

Vulnerability Details

Impact

The absence of a conventional payment logic in the buyPresent function can lead to several critical issues:

• Unexpected Token Deduction: presentReceiver may unexpectedly lose tokens without their consent

• User Misunderstanding: Users might wrongly assume that their own tokens will be used to purchase the NFT, leading to confusion.

• Potential for Misuse: Naughty actors could utilize this function to deplete SantaTokens from other users' accounts by nominating them as presentReceiver

Here is a POC

1. User A attempts to use buyPresent to gift an NFT to User B, assuming User A's tokens will be used for the purchase.

2. The function, however, burns SantaTokens from User B's account, without User B initiating or consenting to the transaction.

3. User B’s account unexpectedly loses tokens, leading to confusion and potential disputes.

Tools Used

Recommendations

Implement Buyer-Centric Payment Logic

Validate Token Ownership and Approval

Enhance Function Clarity