Arbitrary user can call `buyPresent` on behalf of token owner without validation
Summary
Anyone can call buyPresent even though they do not have santaTokens. There is mismatch between the protocol document and the implementation.
Vulnerability Details
In the documentation, it points out that the buyPresent function is only callable by anyone with SantaToken. However, there is no balance check in the function. Consider there are two users, A and B. A has santaToken and approve to the santasList contract, he/she is going to buy present for friends. B sees the chance and trigger buyPresent right before A executes the function. B can simply pass the address of A in the presentReceiver parameter and the token of A will be burnt and B will receive the NFT.
Impact
Unintended behavior for buyPresent function might lead to the loss of token for token owner.
Tools Used
Manual Review
Recommendations
Check whether
msg.senderinbuyPresnetfunction has enough balance.burn the token of
msg.sender, not thepresentReceiver.allocating NFT for
presentReceiver, notmsg.sender.
Lead Judging Commences
buyPresent should use msg.sender
Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.
buyPresent should send to presentReceiver
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.