Santa's List

AI First Flight #3

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing Access Control on checkList() allows anyone to manipulate status

georgibuilds

Root + Impact

Description

The checkList() function is missing the onlySanta modifier, allowing anyone to set their own status to EXTRA_NICE and bypass Santa's authority. This enables attackers to steal NFTs and SantaTokens without approval.

Normal behavior: Only Santa should call checkList() to perform the first status check
Specific issue: The function is missing the onlySanta modifier that exists on checkTwice()
Consequence: Anyone can manipulate the first check, causing Santa's second check to pass

// @> Missing onlySanta modifier - anyone can call this

function checkList(address person, Status status) external {

s_theListCheckedOnce[person] = status;

emit CheckedOnce(person, status);

}

// Compare to checkTwice() which has the modifier:

function checkTwice(address person, Status status) external onlySanta {

// ...

}

Risk

Likelihood:

Exploitable by any address with a single transaction
No special condition or setur require
Function is public and callable by anyone
Attack is trivial to execute

Impact:

Attacker can set themselvs as EXTRA_NICE without Santa's approval
Coplete bypass of protocol's autorization mechanism
DIrect theft of NFTs (worth 1 present each)
Direct theft of SantaTokens( 1e18 tokens per claim)
Unlimited number of attackers can exploit this
Protocol's core purpose (Santa's naugthy/nice list) becomes meaningless.

Proof of Concept

Explanation: This test demonstrates how an attacker can manipulate their own status by calling the unprotected checkList() function, then have Santa unknowingly confirm it with checkTwice(), ultimately allowing the attacker to steal rewards intended only for approved users.

function test_anyoneCanCheckList() public {

// Attacker manipulates their own status

vm.prank(attacker);

santasList.checkList(attacker, SantasList.Status.EXTRA_NICE);

// Santa performs second check (doesn't know first was manipulated)

vm.prank(santa);

santasList.checkTwice(attacker, SantasList.Status.EXTRA_NICE);

// Attacker collects rewards

vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME());

vm.prank(attacker);

santasList.collectPresent();

// Verify: Attacker successfully stole rewards

assertEq(santasList.balanceOf(attacker), 1);

assertEq(santaToken.balanceOf(attacker), 1e18);

}

Recommended Mitigation

Explanation: Adding the onlySanta modifier restricts function access to only the Santa address (set in the constructor), preventing unauthorized users from manipulating the first status check and ensuring only Santa can control the naughty/nice list.

- function checkList(address person, Status status) external {

+ function checkList(address person, Status status) external onlySanta {

s_theListCheckedOnce[person] = status;

emit CheckedOnce(person, status);

}

```

---

## 📝 NOW ALL FINDINGS WITH EXPLANATIONS

I'll format ALL remaining findings with PoC and Mitigation explanations included:

---

# FINDING #2: buyPresent() Burns From Wrong Address

### TITLE

```

buyPresent() Burns Tokens From Receiver Instead of Sender, Enabling Token Theft

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 18 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Anyone is able to call `checkList` function in SantasList contract and prevent any address from becoming `NICE` or `EXTRA_NICE` and collect present.

## Description With the current design of the protocol, anyone is able to call `checkList` function in SantasList contract, while documentation says only Santa should be able to call it. This can be considered as an access control vulnerability, because not only santa is allowed to make the first check. ## Vulnerability Details An attacker could simply call the external `checkList` function, passing as parameter the address of someone else and the enum Status `NAUGHTY`(or `NOT_CHECKED_TWICE`, which should actually be `UNKNOWN` given documentation). By doing that, Santa will not be able to execute `checkTwice` function correctly for `NICE` and `EXTRA_NICE` people. Indeed, if Santa first checked a user and assigned the status `NICE` or `EXTRA_NICE`, anyone is able to call `checkList` function again, and by doing so modify the status. This could result in Santa unable to execute the second check. Moreover, any malicious actor could check the mempool and front run Santa just before calling `checkTwice` function to check users. This would result in a major denial of service issue. ## Impact The impact of this vulnerability is HIGH as it results in a broken mechanism of the check list system. Any user could be declared `NAUGHTY` for the first check at any time, preventing present collecting by users although Santa considered the user as `NICE` or `EXTRA_NICE`. Santa could still call `checkList` function again to reassigned the status to `NICE` or `EXTRA_NICE` before calling `checkTwice` function, but any malicious actor could front run the call to `checkTwice` function. In this scenario, it would be impossible for Santa to actually double check a `NICE` or `EXTRA_NICE` user. ## Proof of Concept Just copy paste this test in SantasListTest contract : ``` function testDosAttack() external { vm.startPrank(makeAddr("attacker")); // any user can checList any address and assigned status to naughty // an attacker could front run Santa before the second check santasList.checkList(makeAddr("user"), SantasList.Status.NAUGHTY); vm.stopPrank(); vm.startPrank(santa); vm.expectRevert(); // Santa is unable to check twice the user santasList.checkTwice(makeAddr("user"), SantasList.Status.NICE); vm.stopPrank(); } ``` ## Recommendations I suggest to add the `onlySanta` modifier to `checkList` function. This will ensure the first check can only be done by Santa, and prevent DOS attack on the contract. With this modifier, specification will be respected : "In this contract Only Santa to take the following actions: - checkList: A function that changes an address to a new Status of NICE, EXTRA_NICE, NAUGHTY, or UNKNOWN on the original s_theListCheckedOnce list." The following code will resolve this access control issue, simply by adding `onlySanta` modifier: ``` function checkList(address person, Status status) external onlySanta { s_theListCheckedOnce[person] = status; emit CheckedOnce(person, status); } ``` No malicious actor is now able to front run Santa before `checkTwice` function call. The following tests shows that doing the first check for another user is impossible after adding `onlySanta` modifier: ``` function testDosResolved() external { vm.startPrank(makeAddr("attacker")); // checklist function call will revert if a user tries to execute the first check for another user vm.expectRevert(SantasList.SantasList__NotSanta.selector); santasList.checkList(makeAddr("user"), SantasList.Status.NAUGHTY); vm.stopPrank(); } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!