Santa's List
AI First Flight #3
Beginner FriendlyFoundry
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unchecked addresses can claim presents because both status mappings default to `NICE`

kode_n_rolla

Status.NICE is the zero-value enum member, so both s_theListCheckedOnce and s_theListCheckedTwice default to NICE for unchecked users. Any unchecked address can call collectPresent() after the time gate and receive an NFT without Santa ever approving them.

Description

The intended behavior is that only addresses reviewed by Santa through both checkList() and checkTwice() should be eligible to collect a present. Users marked NICE should receive an NFT, and users marked EXTRA_NICE should receive an NFT plus a SantaToken.

  • Normal behavior: The intended behavior is that only addresses reviewed by Santa through both checkList() and checkTwice() should be eligible to collect a present.

  • Problem: Default value for any address - NICE

enum Status {
@> NICE,
EXTRA_NICE,
NAUGHTY,
NOT_CHECKED_TWICE
}
mapping(address person => Status naughtyOrNice) private s_theListCheckedOnce;
mapping(address person => Status naughtyOrNice) private s_theListCheckedTwice;
function collectPresent() external {
if (block.timestamp < CHRISTMAS_2023_BLOCK_TIME) {
revert SantasList__NotChristmasYet();
}
if (balanceOf(msg.sender) > 0) {
revert SantasList__AlreadyCollected();
}
if (
@> s_theListCheckedOnce[msg.sender] == Status.NICE &&
@> s_theListCheckedTwice[msg.sender] == Status.NICE
) {
_mintAndIncrement();
return;
}
...
}

Risk

Likelihood:

  • Any fresh address automatically satisfies the NICE branch because both mappings return the zero enum value for uninitialized entries.

  • The exploit only requires waiting until CHRISTMAS_2023_BLOCK_TIME and then calling collectPresent() once from an unchecked address.

Impact:

  • Any unapproved address can mint an NFT that should only be claimable after Santa performs two matching checks.

  • This breaks the core access-control logic of the present distribution system and allows unauthorized claims at scale.

Proof of Concept

function test_UncheckedUserCanCollectPresentDueToDefaultNiceStatus() public {
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
// Fresh user has never been checked by Santa
assertEq(uint256(santasList.getNaughtyOrNiceOnce(attacker)), uint256(SantasList.Status.NICE));
assertEq(uint256(santasList.getNaughtyOrNiceTwice(attacker)), uint256(SantasList.Status.NICE));
assertEq(santasList.balanceOf(attacker), 0);
vm.prank(attacker);
santasList.collectPresent();
assertEq(santasList.balanceOf(attacker), 1);
assertEq(santasList.ownerOf(0), attacker);
}

Recommended Mitigation

enum Status {
- NICE,
- EXTRA_NICE,
- NAUGHTY,
- NOT_CHECKED_TWICE
+ NOT_CHECKED,
+ NICE,
+ EXTRA_NICE,
+ NAUGHTY
}

Additionally, ensure collectPresent() only accepts explicitly assigned NICE / EXTRA_NICE statuses rather than relying on the default mapping value.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 4 days ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] All addresses are considered `NICE` by default and are able to claim a NFT through `collectPresent` function before any Santa check.

## Description `collectPresent` function is supposed to be called by users that are considered `NICE` or `EXTRA_NICE` by Santa. This means Santa is supposed to call `checkList` function to assigned a user to a status, and then call `checkTwice` function to execute a double check of the status. Currently, the enum `Status` assigns its default value (0) to `NICE`. This means that both mappings `s_theListCheckedOnce` and `s_theListCheckedTwice` consider every existent address as `NICE`. In other words, all users are by default double checked as `NICE`, and therefore eligible to call `collectPresent` function. ## Vulnerability Details The vulnerability arises due to the order of elements in the enum. If the first value is `NICE`, this means the enum value for each key in both mappings will be `NICE`, as it corresponds to `0` value. ## Impact The impact of this vulnerability is HIGH as it results in a flawed mechanism of the present distribution. Any unchecked address is currently able to call `collectPresent` function and mint an NFT. This is because this contract considers by default every address with a `NICE` status (or 0 value). ## Proof of Concept The following Foundry test will show that any user is able to call `collectPresent` function after `CHRISTMAS_2023_BLOCK_TIME` : ``` function testCollectPresentIsFlawed() external { // prank an attacker's address vm.startPrank(makeAddr("attacker")); // set block.timestamp to CHRISTMAS_2023_BLOCK_TIME vm.warp(1_703_480_381); // collect present without any check from Santa santasList.collectPresent(); vm.stopPrank(); } ``` ## Recommendations I suggest to modify `Status` enum, and use `UNKNOWN` status as the first one. This way, all users will default to `UNKNOWN` status, preventing the successful call to `collectPresent` before any check form Santa: ``` enum Status { UNKNOWN, NICE, EXTRA_NICE, NAUGHTY } ``` After modifying the enum, you can run the following test and see that `collectPresent` call will revert if Santa didn't check the address and assigned its status to `NICE` or `EXTRA_NICE` : ``` function testCollectPresentIsFlawed() external { // prank an attacker's address vm.startPrank(makeAddr("attacker")); // set block.timestamp to CHRISTMAS_2023_BLOCK_TIME vm.warp(1_703_480_381); // collect present without any check from Santa vm.expectRevert(SantasList.SantasList__NotNice.selector); santasList.collectPresent(); vm.stopPrank(); } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!