Submission Details
Severity:
Lack of access control in checkList().
Summary
In the documentation its specified that the checkList() is only callable by the Santa.
Vulnerability Details
But here you forget to add the onlySanta modifier in checkList() .
Impact
Any attacker can call the chcekList function and set its initial status either naughty or nice.
POC
Code snippet
* @notice Do a first pass on someone if they are naughty or nice.
* Only callable by santa
* @param person The person to check
* @param status The status of the person
*/
function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Test Case
function testCheckList1() public {
vm.prank(attacker);
santasList.checkList(user, SantasList.Status.NICE);
assertEq(uint256(santasList.getNaughtyOrNiceOnce(user)), uint256(SantasList.Status.NICE));
}
Tools Used
Manual Review.
Recommendations
Recommended to add onlySanta modifier in checkList() like this.
function checkList(address person, Status status) external onlySanta {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
nSLOC
116This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.