Competitive Audits
First Flights
Leaderboard
Docs
Toggle theme
Sign up
Log in
All First Flights
Santa's List
Submissions
AI First Flight
Santa's List
AI First Flight #3
Beginner Friendly
Foundry
EXP
AI First Flight
EXP
Apr 2nd, 2026 → Apr 6th, 2026
View repo
View results
10 / 10
Submissions
Severity
Validity
Tags
Author
#1
checkList() is missing the onlySanta modifier, allowing any address to write arbitrary status values to the naughty/nice list
High
Valid
[H-01] Anyone is able to ca...
blackburn
#2
NICE at position 0 in the Status enum causes all uninitialised addresses to pass the second-pass verification check by default
High
Valid
[H-02] All addresses are co...
blackburn
#3
collectPresent() uses balanceOf as the already-collected guard, allowing any whitelisted address to collect unlimited presents by transferring their NFT away between calls
High
Valid
[H-04] Any `NICE` or `EXTRA...
blackburn
#4
buyPresent() burns tokens from presentReceiver instead of msg.sender and mints the NFT to msg.sender instead of presentReceiver, allowing anyone to steal SantaTokens from any holder without approval
High
Valid
[H-03] SantasList::buyPrese...
blackburn
#5
Any address can permanently block a legitimate user from collecting their present by overwriting their first-check status after Santa's confirmation
High
Valid
[H-01] Anyone is able to ca...
blackburn
#6
collectPresent() is vulnerable to reentrancy via the _safeMint callback, allowing an attacker to mint unlimited NFTs in a single transaction
High
Valid
[H-04] Any `NICE` or `EXTRA...
blackburn
#7
buyPresent() is vulnerable to reentrancy via the _safeMint callback, allowing an attacker to drain a victim's entire SantaToken balance in a single transaction
High
Invalid
blackburn
#8
Christmas timestamp is hardcoded to a past date, permanently disabling the time gate on any current or future deployment
Low
Invalid
blackburn
#9
PURCHASED_PRESENT_COST is a dead constant — the actual burn amount in buyPresent() is 1e18, half the documented cost of 2e18
Medium
Valid
[M-01] Cost to buy NFT via ...
blackburn
#10
Gas Optimizations and Informational Findings — SantasList
Low
Invalid
blackburn
Previous
1
Next
Support
FAQs
Can't find an answer? Chat with us on Discord, Twitter or Linkedin.
What is Cyfrin CodeHawks?
What is a competitive audit?
How can I host a competition on CodeHawks?
How is a contest prize pool determined?
How do I get rewarded?
What is a First Flight?
Give us feedback!
