Submission Details
Severity:
Cannot Collect Present If Gifted
Summary
A user cannot collect their present if they already have one because they have been gifted one.
Vulnerability Details
A user cannot collect their present if they already have one because they have been gifted one.
POC
function testCannotCollectPresentIfGifted() public {
// Set up.
address userCollector = makeAddr("userCollector");
address userGifter = makeAddr("userGifter");
vm.startPrank(santa);
santasList.checkList(userCollector, SantasList.Status.NICE);
santasList.checkTwice(userCollector, SantasList.Status.NICE);
santasList.checkList(userGifter, SantasList.Status.EXTRA_NICE);
santasList.checkTwice(userGifter, SantasList.Status.EXTRA_NICE);
vm.stopPrank();
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
vm.startPrank(userGifter);
santasList.collectPresent();
santasList.buyPresent(userGifter);
assertEq(santasList.balanceOf(userGifter), 2);
santasList.transferFrom(userGifter, userCollector, 0);
assertEq(santasList.balanceOf(userGifter), 1);
vm.stopPrank();
// Test.
vm.startPrank(userCollector);
vm.expectRevert();
santasList.collectPresent();
vm.stopPrank();
// Verify.
assertEq(santasList.balanceOf(userCollector), 1);
}
Impact
A user cannot collect their present if they already have one because they have been gifted one.
Tools Used
Manual review.
Recommendations
Track whether users have collected instead of checking their balance.
Updates
Rewards breakdown
nSLOC
116This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.