"checkList" and "checkTwice" can be called for a smart contract
Summary
The name of the arguments of "checkList" and "checkTwice" suggest that the given addresses are of a person.
The protocol does not state that this should work for a contract but for sure it should work for EOA (externally owned accaount)
Vulnerability Details
The current design does not differentiate between EOAs and contract addresses. This can lead to unintended behaviors when a contract is marked NICE/EXTRA_NICE, as the contract must implement IERC721Receiver to receive NFTs, which may not always be the case.
Impact
Santa marking contracts as NICE/EXTRA_NICE may lead to unexpected outcomes, depending on the contract's ability to handle ERC721 tokens. This could disrupt the intended flow of the collectPresent process and the contract might not be able to get its present. This is because _mintAndIncrement and using _safeMint internally which has a callback from IERC721Receiver.
Tools Used
Manual inspection
Recommendations
You have to decide if santa should give presents to contracts. And document the requirements for that.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.