Summary

collectPresent function is supposed to be called by users that are considered NICE or EXTRA_NICE by Santa. This means Santa is supposed to call checkList function to assigned a user to a status, and then call checkTwice function to execute a double check of the status.

Currently, the enum Status assigns its default value (0) to NICE. This means that both mappings s_theListCheckedOnce and s_theListCheckedTwice consider every existent address as NICE. In other words, all users are by default double checked as NICE, and therefore eligible to call collectPresent function.

Vulnerability Details

The vulnerability arises due to the order of elements in the enum. If the first value is NICE, this means the enum value for each key in both mappings will be NICE, as it corresponds to 0 value.

Impact

The impact of this vulnerability is HIGH as it results in a flawed mechanism of the present distribution. Any unchecked address is currently able to call collectPresent function and mint an NFT. This is because this contract considers by default every address with a NICE status (or 0 value).

Proof of Concept

The following Foundry test will show that any user is able to call collectPresent function after CHRISTMAS_2023_BLOCK_TIME :

Tools Used

Foundry

Recommendations

I suggest to modify Status enum, and use UNKNOWN status as the first one. This way, all users will default to UNKNOWN status, preventing the successful call to collectPresent before any check form Santa:

After modifying the enum, you can run the following test and see that collectPresent call will revert if Santa didn't check the address and assigned its status to NICE or EXTRA_NICE :