Santa's List

AI First Flight #3

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

[M-2] Presents can be claimed long after Christmas 2023

vegazeronos

Root + Impact

Description

The collectPresent function only enforces a lower-bound timestamp check (>= CHRISTMAS_2023_BLOCK_TIME) and does not enforce an upper bound. As a result, users can claim presents arbitrarily far into the future, even years after the intended event.
This contradicts the event-based design described in the README and weakens the narrative and scarcity of the Christmas reward. It also complicates accounting, analytics, and user expectations. While not immediately exploitable for large financial gain, it introduces protocol ambiguity and reduces trust.

Risk

Likelihood:

High. Any delayed user can trigger this unintentionally.

Impact:

Medium. Primarily affects protocol correctness and expectations, not direct funds.

Proof of Concept

Please add this POC on the test file test/SantasListTest.t.sol

function testCanCollectPresentAfterSeveralYears() public {

vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + santasList.CHRISTMAS_2023_BLOCK_TIME());

vm.startPrank(user);

santasList.collectPresent();

assertEq(santasList.ownerOf(0), user);

assertGt(block.timestamp , santasList.CHRISTMAS_2023_BLOCK_TIME());

}

Recommended Mitigation

On the before christmas require, please add the maximum date of it to make it more obvious to the readme (only 24 hours)

function collectPresent() external {

+ if (block.timestamp < CHRISTMAS_2023_BLOCK_TIME || block.timestamp > CHRISTMAS_2023_BLOCK_TIME + 24hrs) {

- if (block.timestamp < CHRISTMAS_2023_BLOCK_TIME){

revert SantasList__NotChristmas2023Range();

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-01] collectPresent() can be called at anytime after christmas

## Description The christmas present should only be collected with 24 hours before or after christmas. But the present can be minted at anytime after christmas. ## Vulnerability Details Documenation mentioned that "The Christmas date is approximate, if it's more then 24 hours before or after Christmas, please report that. Otherwise, it's OK." The `collectPresent()` has only checked that the present cannot be collected before the christmas. But hasn't checked in the case of after christmas collection. ```javascript function collectPresent() external { if (block.timestamp < CHRISTMAS_2023_BLOCK_TIME) { revert SantasList__NotChristmasYet(); } if (balanceOf(msg.sender) > 0) { revert SantasList__AlreadyCollected(); } if (s_theListCheckedOnce[msg.sender] == Status.NICE && s_theListCheckedTwice[msg.sender] == Status.NICE) { _mintAndIncrement(); return; } else if ( s_theListCheckedOnce[msg.sender] == Status.EXTRA_NICE && s_theListCheckedTwice[msg.sender] == Status.EXTRA_NICE ) { _mintAndIncrement(); i_santaToken.mint(msg.sender); return; } revert SantasList__NotNice(); } ``` `uint256 public constant CHRISTMAS_2023_BLOCK_TIME = 1_703_480_381;` The UTC time for this epoch is : `Monday, 25 December 2023 04:59:41` . The present can only be collected after approx 5 hours after the christmas arrived. But it can be collectable at anytime after Christmas. As there is no check for the after christmas case. ## Impact The impact of this vulnerability is that the intended use of the protocol is not acquired. Proof Of Code : ```javascript function testCollectPresentNiceAfterChristmas() public { vm.startPrank(santa); santasList.checkList(user, SantasList.Status.NICE); santasList.checkTwice(user, SantasList.Status.NICE); vm.stopPrank(); vm.warp(1703900189); // Saturday, 30 December 2023 01:36:29 vm.startPrank(user); santasList.collectPresent(); assertEq(santasList.balanceOf(user), 1); vm.stopPrank(); } ``` Add this test to `SantasListTest.t.sol` and run `forge test --mt testCollectPresentNiceAfterChristmas` to test. You can observe that the present is collectable at Saturday, 30 December 2023 01:36:29. ## Recommendations Include check for the after 24 hours of christmas. ```diff function collectPresent() external { - if (block.timestamp < CHRISTMAS_2023_BLOCK_TIME) { + if (block.timestamp < CHRISTMAS_2023_BLOCK_TIME && block.timestamp > 1703554589 ) { revert SantasList__NotChristmasYet(); } if (balanceOf(msg.sender) > 0) { revert SantasList__AlreadyCollected(); } if (s_theListCheckedOnce[msg.sender] == Status.NICE && s_theListCheckedTwice[msg.sender] == Status.NICE) { _mintAndIncrement(); return; } else if ( s_theListCheckedOnce[msg.sender] == Status.EXTRA_NICE && s_theListCheckedTwice[msg.sender] == Status.EXTRA_NICE ) { _mintAndIncrement(); i_santaToken.mint(msg.sender); return; } revert SantasList__NotNice(); } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!