`buyPresent()` supposed to cost 2e18 of `SantaToken`, however only 1e18 of `SantaToken` will be burned
Summary
buyPresent() supposed to cost 2e18 of SantaToken, however only 1e18 of SantaToken will be burned
Vulnerability Details
According to README.md buyPresent() should cost 2e18 of SantaToken, but it will call burn() in SantaToken which is hardcoded to burn 1e18 of SantaToken. Also there is a constant PURCHASED_PRESENT_COST in SantaList which should be the cost for buyPresent() but it is not used at all
Impact
Anyone can buy present with only 1e18 of SantaToken, but they are supposed to buy with 2e18 of SantaToken according to README.md
Tools Used
Manual review
Recommendations
Burn 2e18 from msg.sender instead of burning a hardcoded value of 1e18 from presentReceiver
Lead Judging Commences
Price is not enforced in buyPresent
This line indicates that the intended cost of presents for naughty people should be 2e18: https://github.com/Cyfrin/2023-11-Santas-List/blob/6627a6387adab89ae2ba2e82b38296723261c08a/src/SantasList.sol#L87 PURCHASE_PRESENT_COST should be implemented to enforce the cost of presents.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.