Missing access control on `checkList()` allows anyone to assign Naughty/Nice status
Description
The function checkList() is intended to be restricted to Santa only, as stated in the NatSpec documentation. However, there is no access control enforced in the implementation.
As a result, any external user can call checkList() and arbitrarily set the status of any address to Nice, Naughty, or EXTRA_NICE, fully bypassing the intended role-based system.
Vulnerability Details
Affected code
https://github.com/CodeHawks-Contests/ai-santas-list/blob/main/src/SantasList.sol#L121
Issue Breakdown
The documentation explicitly states:
“Only callable by santa”
However, the function is declared as:
externalwith no
onlySantaor equivalent modifier.This allows any attacker to:
Set their own status to
EXTRA_NICEPromote other users to privileged statuses
Manipulate downstream logic relying on
s_theListCheckedOnce
Impact
This vulnerability breaks the core trust assumption of the protocol:
Unauthorized users can mark themselves as eligible for rewards
NFT distribution logic based on status becomes meaningless
Any game mechanics depending on “Santa authority” are fully compromised
Result:
➡️ Complete bypass of role-based authorization for status assignment
Proof of Concept
Attacker calls:
checkList(attackerAddress, EXTRA_NICE);Contract accepts the update without restrictions.
Attacker becomes eligible for privileged reward paths intended only for Santa-approved users.
Root Cause
Missing access control modifier (
onlySanta)Discrepancy between documentation and implementation
Trust assumption that external callers will respect intended role restrictions
Recommended Fix
Restrict function access using the Santa role modifier:
Ensure onlySanta properly validates the caller, e.g.:
Conclusion
The checkList() function lacks the required access control, allowing any user to arbitrarily assign status values. This completely undermines the protocol’s role-based logic and can be exploited to gain unauthorized eligibility for rewards and privileges.
Lead Judging Commences
[H-01] Anyone is able to call `checkList` function in SantasList contract and prevent any address from becoming `NICE` or `EXTRA_NICE` and collect present.
## Description With the current design of the protocol, anyone is able to call `checkList` function in SantasList contract, while documentation says only Santa should be able to call it. This can be considered as an access control vulnerability, because not only santa is allowed to make the first check. ## Vulnerability Details An attacker could simply call the external `checkList` function, passing as parameter the address of someone else and the enum Status `NAUGHTY`(or `NOT_CHECKED_TWICE`, which should actually be `UNKNOWN` given documentation). By doing that, Santa will not be able to execute `checkTwice` function correctly for `NICE` and `EXTRA_NICE` people. Indeed, if Santa first checked a user and assigned the status `NICE` or `EXTRA_NICE`, anyone is able to call `checkList` function again, and by doing so modify the status. This could result in Santa unable to execute the second check. Moreover, any malicious actor could check the mempool and front run Santa just before calling `checkTwice` function to check users. This would result in a major denial of service issue. ## Impact The impact of this vulnerability is HIGH as it results in a broken mechanism of the check list system. Any user could be declared `NAUGHTY` for the first check at any time, preventing present collecting by users although Santa considered the user as `NICE` or `EXTRA_NICE`. Santa could still call `checkList` function again to reassigned the status to `NICE` or `EXTRA_NICE` before calling `checkTwice` function, but any malicious actor could front run the call to `checkTwice` function. In this scenario, it would be impossible for Santa to actually double check a `NICE` or `EXTRA_NICE` user. ## Proof of Concept Just copy paste this test in SantasListTest contract : ``` function testDosAttack() external { vm.startPrank(makeAddr("attacker")); // any user can checList any address and assigned status to naughty // an attacker could front run Santa before the second check santasList.checkList(makeAddr("user"), SantasList.Status.NAUGHTY); vm.stopPrank(); vm.startPrank(santa); vm.expectRevert(); // Santa is unable to check twice the user santasList.checkTwice(makeAddr("user"), SantasList.Status.NICE); vm.stopPrank(); } ``` ## Recommendations I suggest to add the `onlySanta` modifier to `checkList` function. This will ensure the first check can only be done by Santa, and prevent DOS attack on the contract. With this modifier, specification will be respected : "In this contract Only Santa to take the following actions: - checkList: A function that changes an address to a new Status of NICE, EXTRA_NICE, NAUGHTY, or UNKNOWN on the original s_theListCheckedOnce list." The following code will resolve this access control issue, simply by adding `onlySanta` modifier: ``` function checkList(address person, Status status) external onlySanta { s_theListCheckedOnce[person] = status; emit CheckedOnce(person, status); } ``` No malicious actor is now able to front run Santa before `checkTwice` function call. The following tests shows that doing the first check for another user is impossible after adding `onlySanta` modifier: ``` function testDosResolved() external { vm.startPrank(makeAddr("attacker")); // checklist function call will revert if a user tries to execute the first check for another user vm.expectRevert(SantasList.SantasList__NotSanta.selector); santasList.checkList(makeAddr("user"), SantasList.Status.NAUGHTY); vm.stopPrank(); } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.