Santa's List

AI First Flight #3

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

checkList() is missing the onlySanta modifier, allowing any address to write arbitrary status values to the naughty/nice list

blackburn

Root + Impact

Any address can call checkList() to assign any Status to any address, including themselves. This completely bypasses Santa's authority as the sole list manager, undermines the integrity of the two-pass verification system, and enables a grief attack where legitimate users confirmed by Santa can be permanently blocked from collecting their presents.

The function is external with no access restriction. Any EOA or contract can call it at any time for gas cost only. No capital, special knowledge, or setup is required.

Description

SantasList is designed around a two-pass verification system where Santa exclusively manages who is on the nice list. The NatSpec on checkList() explicitly states "Only callable by santa". The onlySanta modifier exists and is correctly applied to checkTwice(), but is missing from checkList().

This means checkList() is a free, unrestricted write to s_theListCheckedOnce for any caller:

// @> missing onlySanta modifier — any address can call this freely

function checkList(address person, Status status) external {

s_theListCheckedOnce[person] = status;

emit CheckedOnce(person, status);

}

// onlySanta correctly applied here

function checkTwice(address person, Status status) external onlySanta {

if (s_theListCheckedOnce[person] != status) {

revert SantasList__SecondCheckDoesntMatchFirst();

}

s_theListCheckedTwice[person] = status;

emit CheckedTwice(person, status);

}

This has two distinct consequences:

Self-assignment: Any attacker can set their own s_theListCheckedOnce to NICE, satisfying the first check in collectPresent() without Santa's involvement.
Grief attack: An attacker can overwrite any legitimate user's confirmed status at any time. If Santa has called checkTwice(alice, NICE) but the attacker then calls checkList(alice, NAUGHTY), Alice's s_theListCheckedOnce becomes NAUGHTY while s_theListCheckedTwice remains NICE. Santa cannot rescue Alice — calling checkTwice(alice, NICE) reverts with SecondCheckDoesntMatchFirst because the first mapping no longer matches. Alice is permanently blocked regardless of Santa's intent.

Risk

Likelihood:

checkList() is unrestricted and callable by anyone — exploitable on every deployment
No setup required beyond knowing the contract address
The grief path requires only watching the mempool and spending slightly more gas than Santa
Impact:

Santa's authority over the naughty/nice list is completely removed
Any attacker can manipulate s_theListCheckedOnce for any address at will
Legitimate users confirmed by Santa can be permanently blocked from collecting presents
The two-pass verification design is rendered unenforceable

Proof of Concept

function test_F1_AnyoneCanSelfAssignNiceAndCollect() public {

// Warp past Christmas

vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);

// Attacker self-assigns NICE — no onlySanta guard stops them

vm.prank(attacker);

santasList.checkList(attacker, SantasList.Status.NICE);

// s_theListCheckedTwice[attacker] is already NICE by default (Status(0))

// Both checks in collectPresent() pass — Santa was never involved

vm.prank(attacker);

santasList.collectPresent();

// Attacker has an NFT — zero Santa involvement

assertEq(santasList.balanceOf(attacker), 1);

}

Recommended Mitigation

Add the onlySanta modifier to checkList() to match the access control on checkTwice() and the stated NatSpec intent.

- function checkList(address person, Status status) external {

+ function checkList(address person, Status status) external onlySanta {

s_theListCheckedOnce[person] = status;

emit CheckedOnce(person, status);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Anyone is able to call `checkList` function in SantasList contract and prevent any address from becoming `NICE` or `EXTRA_NICE` and collect present.

## Description With the current design of the protocol, anyone is able to call `checkList` function in SantasList contract, while documentation says only Santa should be able to call it. This can be considered as an access control vulnerability, because not only santa is allowed to make the first check. ## Vulnerability Details An attacker could simply call the external `checkList` function, passing as parameter the address of someone else and the enum Status `NAUGHTY`(or `NOT_CHECKED_TWICE`, which should actually be `UNKNOWN` given documentation). By doing that, Santa will not be able to execute `checkTwice` function correctly for `NICE` and `EXTRA_NICE` people. Indeed, if Santa first checked a user and assigned the status `NICE` or `EXTRA_NICE`, anyone is able to call `checkList` function again, and by doing so modify the status. This could result in Santa unable to execute the second check. Moreover, any malicious actor could check the mempool and front run Santa just before calling `checkTwice` function to check users. This would result in a major denial of service issue. ## Impact The impact of this vulnerability is HIGH as it results in a broken mechanism of the check list system. Any user could be declared `NAUGHTY` for the first check at any time, preventing present collecting by users although Santa considered the user as `NICE` or `EXTRA_NICE`. Santa could still call `checkList` function again to reassigned the status to `NICE` or `EXTRA_NICE` before calling `checkTwice` function, but any malicious actor could front run the call to `checkTwice` function. In this scenario, it would be impossible for Santa to actually double check a `NICE` or `EXTRA_NICE` user. ## Proof of Concept Just copy paste this test in SantasListTest contract : ``` function testDosAttack() external { vm.startPrank(makeAddr("attacker")); // any user can checList any address and assigned status to naughty // an attacker could front run Santa before the second check santasList.checkList(makeAddr("user"), SantasList.Status.NAUGHTY); vm.stopPrank(); vm.startPrank(santa); vm.expectRevert(); // Santa is unable to check twice the user santasList.checkTwice(makeAddr("user"), SantasList.Status.NICE); vm.stopPrank(); } ``` ## Recommendations I suggest to add the `onlySanta` modifier to `checkList` function. This will ensure the first check can only be done by Santa, and prevent DOS attack on the contract. With this modifier, specification will be respected : "In this contract Only Santa to take the following actions: - checkList: A function that changes an address to a new Status of NICE, EXTRA_NICE, NAUGHTY, or UNKNOWN on the original s_theListCheckedOnce list." The following code will resolve this access control issue, simply by adding `onlySanta` modifier: ``` function checkList(address person, Status status) external onlySanta { s_theListCheckedOnce[person] = status; emit CheckedOnce(person, status); } ``` No malicious actor is now able to front run Santa before `checkTwice` function call. The following tests shows that doing the first check for another user is impossible after adding `onlySanta` modifier: ``` function testDosResolved() external { vm.startPrank(makeAddr("attacker")); // checklist function call will revert if a user tries to execute the first check for another user vm.expectRevert(SantasList.SantasList__NotSanta.selector); santasList.checkList(makeAddr("user"), SantasList.Status.NAUGHTY); vm.stopPrank(); } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!