No access control in checkList(), anyone can arbitrarily set their status or even cause a DoS by frontrunning santa's call to checkTwice()
Summary
No access control in checkList(), anyone can arbitrarily set their status or even cause a DoS by frontrunning Santa's call to checkTwice()
Vulnerability Details
The comments show that checkList() is supposed to be only callable by Santa, however onlySanta modifier is missing and there is no access control
Anyone can call checkList() and set their status or even other's status to whatever they want, or when Santa is calling checkTwice(), they can frontrun Santa's transaction and call checkList() to change the person status causing a DoS
Impact
Anyone can arbitrarily set their status or even cause a DoS by frontrunning Santa's call to checkTwice()
Tools Used
Manual review
Recommendations
Add onlySanta modifier or other access control measures
Lead Judging Commences
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.