First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Access Control : checkList can be called by anyone

Mj0ln1r

Summary

checkList() function inside SantaList.sol can be called by any user. The intended purpose of this function is to be called by the santa only.

Vulnerability Details

The checkList() function has to be called by the santa only. But the access control check was not done in the contract.

The inline @notice mentioned that it should only be called by santa

Comment: https://github.com/Cyfrin/2023-11-Santas-List/blob/886f801daa1968cccccfd8790a510417aedc88b6/src/SantasList.sol#L116

function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}

Impact

The impact of this vulnerability is it can be called by anyone, so any user can easily pass the initial check for the present.

Proof of Code:

function testCheckListByAnyone() public {
vm.prank(user);
santasList.checkList(user, SantasList.Status.NICE);
assertEq(uint256(santasList.getNaughtyOrNiceOnce(user)), uint256(SantasList.Status.NICE));
}

Add this piece of code to the SantasListTest.t.sol. Run the following command to execute test.

forge test --mt testCheckListByAnyone

Tools Used

Manual Review

Recommendations

Add the onlySanta modifier to the checkList() function.

- function checkList(address person, Status status) external {
+ function checkList(address person, Status status) external onlySanta {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Access Control on checkList()

Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.