Root + Impact

The CHRISTMAS_2023_BLOCK_TIME constant is hardcoded to December 25, 2023. On any deployment after that date, block.timestamp < CHRISTMAS_2023_BLOCK_TIME is permanently false, meaning the time gate in collectPresent() never triggers. The intended "not before Christmas" protection is a no-op from the moment the contract is deployed.

This affects every deployment of the contract from January 1, 2024 onwards — which includes any current or future deployment. No attacker action is required. The condition is broken by default on all live instances.

Description

• collectPresent() is intended to prevent users from claiming presents before Christmas Day. The guard uses a hardcoded constant:

1_703_480_381 corresponds to approximately 2023-12-25 00:59:41 UTC. Since block.timestamp on any chain today is well beyond this value, the check block.timestamp < 1_703_480_381 is always false and collectPresent() is immediately callable upon deployment — regardless of the actual date.

For any redeployment or reuse of this contract, the protection is completely absent. Anyone can call collectPresent() in the same block as deployment.

Risk

Likelihood:

• Affects 100% of deployments after December 25, 2023 with no attacker action required

• The time gate is silently disabled — no error, no revert, no indication

Impact:

• The intended pre-Christmas lockout period is permanently bypassed

• Users can collect presents immediately upon deployment — Santa has no time to build the list before claims begin

• Undermines the protocol's intended operational sequence: Santa checks the list first, then Christmas unlocks collection

Recommended Mitigation

Set the unlock timestamp as a constructor parameter so it can be configured at deployment time rather than hardcoded to a past date.