Lack of Duplicate Present Prevention in SantaList
Impact:
The contract does not have a mechanism to prevent users from collecting presents multiple times. This could lead to individuals unfairly claiming multiple NFTs and SantaTokens, potentially disrupting the distribution system and causing unfairness among users.
Proof of Concept:
The collectPresent function can be called by any user who meets the eligibility criteria, regardless of whether they have already collected a present.
A user could create multiple wallets or exploit contract logic to call the collectPresent function multiple times, obtaining an unfair advantage.
Tools Used
Manual
Recommended Mitigation Steps:
Implement a mechanism to track users who have already collected presents and prevent them from doing so again. This could involve storing a list of addresses that have already claimed presents or using a token-based system where each present is represented by a unique token.
Consider limiting the number of presents that each user can collect.
Monitor contract activity and take appropriate action against users who attempt to exploit the lack of duplicate present prevention.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.