Token amount mismatch for buying present between functionality and protocol
Summary
The SantaToken contract in the SantasList has an inconsistency between burning amounts of tokens to buy a present and the protocol. The "buyPresent" function in SantasList is calling the same burn function from SantaToken. Tokens are minted at 1e18 and burned at 1e18, while the protocol specifies a 2e18 token burn cost for purchasing a present. Also I suspect that the minting should be for 2e18 instead of 1e18 also so an EXTRA_NICE user can buy a present by himself.
Vulnerability Details
The burn function in the SantaToken contract is set to burn 1e18 tokens, conflicting with the SantasList protocol's requirement of 2e18 tokens to purchase a present. This can lead to confusion.
Impact
The system fails to fulfill its intended functionality of allowing users to purchase presents for 2e18 SantaTokens.
Tools Used
Manual inspection
Recommendations
Align the burn function in the SantaToken contract with the protocol's requirement by adjusting the burn amount to 2e18. Ensure that minting and burning amounts are consistent with the protocol's rules to maintain the intended functionality.
Lead Judging Commences
Price is not enforced in buyPresent
This line indicates that the intended cost of presents for naughty people should be 2e18: https://github.com/Cyfrin/2023-11-Santas-List/blob/6627a6387adab89ae2ba2e82b38296723261c08a/src/SantasList.sol#L87 PURCHASE_PRESENT_COST should be implemented to enforce the cost of presents.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.