Santa's List

AI First Flight #3

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Missing checks in buyPresent allows non-holders to execute function

rndm0x0

Missing checks in buyPresent allows non-holders to execute function

Description

The buyPresent function is intended to be callable only by users holding SantaTokens, as documented in the NatSpec. This ensures that only eligible users can initiate the present purchase flow.
Currently, the function does not verify that the caller owns any SantaTokens before execution. As a result, any address can call buyPresent, even without holding tokens, violating the documented requirement and enabling unauthorized use of the function.

function buyPresent(address presentReceiver) external {

@> i_santaToken.burn(presentReceiver);

_mintAndIncrement();

}

Risk

Likelihood:

Every call to buyPresent can be executed by any address, regardless of token ownership.
No validation exists to restrict execution to SantaToken holders, so this occurs on every invocation by an unauthorized user.

Impact:

Users without tokens can mint NFTs without paying, bypassing the intended token payment requirement.

Unauthorized access can lead to unintended token burns, NFT misallocation, or disruption of the gift mechanism.

Proof of Concept

user2 without SantaTokens calls buyPresent, and the function executes successfully, allowing minting or token burn despite lacking the required tokens.

Add this function to your SantasListTest.t.sol file :

function testAccess() public {

vm.startPrank(santa);

santasList.checkList(user, SantasList.Status.EXTRA_NICE);

santasList.checkTwice(user, SantasList.Status.EXTRA_NICE);

vm.stopPrank();

vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);

vm.startPrank(user);

santasList.collectPresent();

assertEq(santaToken.balanceOf(user), 1e18);

vm.stopPrank();

// Check that user2 can call buyPresent

vm.startPrank(user2);

santasList.buyPresent(user);

assertEq(santaToken.balanceOf(user), 0);

vm.stopPrank();

}

Recommended Mitigation

Add a check at the start of buyPresent to ensure the caller owns at least the required amount of SantaTokens before executing the function:

+ require(santaToken.balanceOf(msg.sender) > 0, "Caller must hold SantaTokens");

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!