Attacker can prevent anyone from collecting their present with frontrunning, causing a DoS
Summary
Attacker can prevent anyone from collecting their present with frontrunning, causing a DoS
Vulnerability Details
collectPresent() checks s_theListCheckedOnce and s_theListCheckedTwice of caller before minting them nft or santaToken, attacker can frontrun the transaction calling collectPresent() to change the s_theListCheckedOnce of victim to something other than nice or extra nice, causing a DoS and prevent the victim from collecting their present as access control is absent in checkList() and collectPresent() reverts with SantasList__NotNice as long as either s_theListCheckedOnce or s_theListCheckedTwice of the caller is not nice or extra nice, or if s_theListCheckedOnce and s_theListCheckedTwice are not the same
Impact
Attacker can prevent anyone from collecting their present with frontrunning, causing a DoS
Tools Used
Manual review
Recommendations
Add access control like the onlySanta modifier to checkList() to restrict it for Santa only
Lead Judging Commences
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.