Santa's List

AI First Flight #3

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: high

Invalid

buyPresent() Allows Purchasing Presents Before Christmas, Bypassing Time Restriction

georgibuilds

Root + Impact

The buyPresent() function does not verify that it's Christmas time before allowing present purchases, while collectPresent() enforces this restriction. This creates an inconsistency where users can buy presents any time of year but can only collect free presents on Christmas.

Description

collectPresent() enforces Christmas time check with revert

buyPresent() has no such time restriction

Inconsistency suggests potential oversight in design

// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

Anyone can call buyPresent() anytime

No conditions prevent year-round usage

Inconsistency exists in current code

Impact:

Timing restriction bypass - users can get presents before Christmas
Inconsistent protocol behavior between functions
Potential design violation if Christmas timing is important
Low actual damage - doesn't break core functionality or steal funds

Proof of Concept

This test shows that buyPresent() works before Christmas while collectPresent() reverts, demonstrating the inconsistency.

function test_buyPresentBeforeChristmas() public {

// Setup: Give user tokens

vm.startPrank(santa);

santasList.checkList(user, SantasList.Status.EXTRA_NICE);

santasList.checkTwice(user, SantasList.Status.EXTRA_NICE);

vm.stopPrank();

vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME());

vm.prank(user);

santasList.collectPresent();

// Go back in time (before Christmas)

uint256 beforeChristmas = santasList.CHRISTMAS_2023_BLOCK_TIME() - 30 days;

vm.warp(beforeChristmas);

// Try to collect - should fail

vm.expectRevert(SantasList.SantasList__NotChristmasYet.selector);

vm.prank(user);

santasList.collectPresent();

// But buyPresent works before Christmas!

vm.prank(user);

santasList.buyPresent(attacker); // ✅ No revert

// Verify: Present was bought before Christmas

assertEq(santasList.balanceOf(attacker), 1);

}

Recommended Mitigation

Add time check to buyPresent() if Christmas-only timing is intended, or document the intentional difference.

function buyPresent(address presentReceiver) external {

+ if (block.timestamp < CHRISTMAS_2023_BLOCK_TIME) {

+ revert SantasList__NotChristmasYet();

+ }

i_santaToken.burn(msg.sender);

_safeMint(presentReceiver, s_tokenCounter++);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 18 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!