Buy a present for someone else feature is not working as mentioned in documentation. This should only be callable by someone who is naughty. But can be called by anyone.
Bying present for someone else feature is intended only for the users who's Status is NAUGHTY. But there is no check for the called user Status inside the buyPresent()
function.
No access control check was done for the user who aren't NAUGHTY.
This could cause the fail in buyPresent()
intended usage. Users who aren't NAUGHTY can also able to call the buyPresent()
function.
Proof Of Code :
Add this test to the SantasListTest.t.sol
and run forge test --mt testBuyPresentNotNaughty
. The buyPresent()
is called by a EXTRA_NICE
user not a NAUGHTY
user.
Manual Review
Check for the Status of the buyPresent()
caller.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.