Santa's List
AI First Flight #3
Beginner FriendlyFoundry
EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

`SantaToken.burn` Lacks Authorization Check

firmanregar

Root + Impact

Description

  • The burn function in SantaToken.sol only verifies the caller is the SantasList contract, but doesn't validate that the burn target authorized the operation. Combined with Vulnerability 4, this enables unauthorized token destruction.


    In SantaToken.sol, the function burns tokens from from without checking:

    • If from approved the burn

    • If from has sufficient balance

    • Any relationship between the ultimate caller and from

function burn(address from) external {
if (msg.sender != i_santasList) {
revert SantaToken__NotSantasList();
}
_burn(from, 1e18);
}

Risk

Likelihood:

  • Reason 1 // Describe WHEN this will occur (avoid using "if" statements)

  • Reason 2

Impact:

When called through buyPresent, this allows complete bypass of the ERC20 approval system. Anyone can destroy any token holder's balance.

Proof of Concept

No require(balanceOf(msg.sender) >= cost) exists.

vm.prank(attackerWithoutTokens);
santasList.buyPresent(victim);

Recommended Mitigation

Modify the burn function to accept only the authenticated caller's address:

function burn(address from) external {
if (msg.sender != i_santasList) {
revert SantaToken__NotSantasList();
}
// Burn should only affect the ultimate caller
// SantasList should pass msg.sender, not arbitrary address
_burn(from, 1e18);
}

Then update SantasList.buyPresent per Vulnerability 4's recommendation.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!