buyPresent() can spend tokens of arbitrary users
Summary
The buyPresent() function burns the tokens of 'presentReceiver' NOT the one 'buying' the present or function caller
Vulnerability Details
i_santaToken.burn(presentReceiver);
This line calls the burn function for the santaToken on 'presentReciever'. So the callers tokens are not affected.
_mintAndIncrement();
_mintAndIncrement() mints the present for msg.sender, NOT the 'presentReciever'.
Impact
Means that an attacker can call buyPresent(userx); on any user that has approved the the SantaList contract to spend their tokens, 'spend' userx's tokens to mint a present for the attacker. So an attacker can steal/spend other users tokens and mint many presents. High risk because of this.
Tools Used
manual review
Recommendations
change buyPresent() func to:
function buyPresent(address presentReceiver) external {
i_santaToken.burn(msg.sender);
_mintAndIncrement(presentReciever);
}
make new _mintAndIncrement() func:
function _mintAndIncrement1(address mintReceiver) private {
_safeMint(mintReciever, s_tokenCounter++);
}
Lead Judging Commences
buyPresent should use msg.sender
Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.
buyPresent should send to presentReceiver
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.