Santa's List

AI First Flight #3

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Reentrancy in `collectPresent` via `_safeMint`

arush

[H-3] Reentrancy in `collectPresent` via `_safeMint`

Description

collectPresent uses _safeMint, which triggers onERC721Received on the recipient if it is a contract. The reentrancy guard used is balanceOf(msg.sender) > 0, but this check passes only after the mint increments the balance. However, the _mintAndIncrement call happens before the function returns, and a malicious contract can re-enter collectPresent during the onERC721Received callback — at that point its balance is already 1, so... wait, actually the balanceOf check would catch re-entry for the NFT. But for the EXTRA_NICE path, i_santaToken.mint(msg.sender) is called after _mintAndIncrement, meaning the attacker could re-enter before the token mint and force double token minting. More critically: a carefully crafted re-entry during _safeMint inside mint can bypass the balanceOf check in an interleaved call pattern if the attacker transfers the NFT out mid-callback.
The most direct reentrancy path is:
1. Enter collectPresent as EXTRA_NICE.
2. _mintAndIncrement is called → _safeMint triggers onERC721Received on attacker contract.
3. Inside callback: transfer the NFT to another address (balance drops to 0).
4. Re-enter collectPresent — balanceOf is now 0 again → passes check.
5. Collect again indefinitely.

function collectPresent() external {

// ...

if (balanceOf(msg.sender) > 0) { // @audit balance check only

revert SantasList__AlreadyCollected();

}

// ...

_mintAndIncrement(); // @audit _safeMint triggers onERC721Received callback

return; // attacker transfers NFT inside callback, re-enters here

}

function _mintAndIncrement() private {

_safeMint(msg.sender, s_tokenCounter++); // external call to recipient

}

Risk

Likelihood:

requires a malicious contract recipient and deliberate setup, but is a well-known attack pattern.

Impact:

Unlimited NFT minting for a malicious contract.
Unlimited SantaToken minting on the EXTRA_NICE path.
Complete bypass of the "collect once" invariant.

Proof of Concept

A contract to witness the Reentrancy attack possible with the smart contract:

contract ReentrancyAttacker is IERC721Receiver {

SantasList santasList;

uint256 count;

constructor(address _santasList) { santasList = SantasList(_santasList); }

function attack() external { santasList.collectPresent(); }

function onERC721Received(address, address, uint256 tokenId, bytes calldata)

external returns (bytes4)

{

// Transfer NFT away so balanceOf drops to 0

santasList.transferFrom(address(this), address(0xdead), tokenId);

if (count < 5) {

count++;

santasList.collectPresent(); // re-enter

}

return this.onERC721Received.selector;

}

Recommended Mitigation

Use a dedicated bool mapping as a collected flag, set it before any external calls (checks-effects-interactions pattern), or use OpenZeppelin's ReentrancyGuard.

+ mapping(address => bool) private s_alreadyCollected;

function collectPresent() external {

if (block.timestamp < CHRISTMAS_2023_BLOCK_TIME) revert SantasList__NotChristmasYet();

- if (balanceOf(msg.sender) > 0) revert SantasList__AlreadyCollected();

+ if (s_alreadyCollected[msg.sender]) revert SantasList__AlreadyCollected();

+ s_alreadyCollected[msg.sender] = true; // effect before interaction

// ... rest of logic

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-04] Any `NICE` or `EXTRA_NICE` user is able to call `collectPresent` function multiple times.

## Description `collectPresent` function is callable by any address, but the call will succeed only if the user is registered as `NICE` or `EXTRA_NICE` in SantasList contract. In order to prevent users to collect presents multiple times, the following check is implemented: ``` if (balanceOf(msg.sender) > 0) { revert SantasList__AlreadyCollected(); } ``` Nevertheless, there is an issue with this check. Users could send their newly minted NFTs to another wallet, allowing them to pass that check as `balanceOf(msg.sender)` will be `0` after transferring the NFT. ## Vulnerability Details Let's imagine a scenario where an `EXTRA_NICE` user wants to collect present when it is Christmas time. The user will call `collectPresent` function and will get 1 NFT and `1e18` SantaTokens. This user could now call `safetransferfrom` ERC-721 function in order to send the NFT to another wallet, while keeping SantaTokens on the same wallet (or send them as well, it doesn't matter). After that, it is possible to call `collectPresent` function again as ``balanceOf(msg.sender)` will be `0` again. ## Impact The impact of this vulnerability is HIGH as it allows any `NICE` user to mint as much NFTs as wanted, and it also allows any `EXTRA_NICE` user to mint as much NFTs and SantaTokens as desired. ## Proof of Concept The following tests shows that any `NICE` or `EXTRA_NICE` user is able to call `collectPresent` function again after transferring the newly minted NFT to another wallet. - In the case of `NICE` users, it will be possible to mint an infinity of NFTs, while transferring all of them in another wallet hold by the user. - In the case of `EXTRA_NICE` users, it will be possible to mint an infinity of NFTs and an infinity of SantaTokens. ``` function testExtraNiceCanCollectTwice() external { vm.startPrank(santa); // Santa checks twice the user as EXTRA_NICE santasList.checkList(user, SantasList.Status.EXTRA_NICE); santasList.checkTwice(user, SantasList.Status.EXTRA_NICE); vm.stopPrank(); // It is Christmas time! vm.warp(1_703_480_381); vm.startPrank(user); // User collects 1 NFT + 1e18 SantaToken santasList.collectPresent(); // User sends the minted NFT to another wallet santasList.safeTransferFrom(user, makeAddr("secondWallet"), 0); // User collect present again santasList.collectPresent(); vm.stopPrank(); // Users now owns 2e18 tokens, after calling 2 times collectPresent function successfully assertEq(santaToken.balanceOf(user), 2e18); } ``` ## Recommendations SantasList should implement in its storage a mapping to keep track of addresses which already collected present through `collectPresent` function. We could declare as a state variable : ``` mapping(address user => bool) private hasClaimed; ``` and then modify `collectPresent` function as follows: ``` function collectPresent() external { // use SantasList__AlreadyCollected custom error to save gas require(!hasClaimed[msg.sender], "user already collected present"); if (block.timestamp < CHRISTMAS_2023_BLOCK_TIME) { revert SantasList__NotChristmasYet(); } if (s_theListCheckedOnce[msg.sender] == Status.NICE && s_theListCheckedTwice[msg.sender] == Status.NICE) { _mintAndIncrement(); hasClaimed[msg.sender] = true; return; } else if ( s_theListCheckedOnce[msg.sender] == Status.EXTRA_NICE && s_theListCheckedTwice[msg.sender] == Status.EXTRA_NICE ) { _mintAndIncrement(); i_santaToken.mint(msg.sender); hasClaimed[msg.sender] = true; return; } revert SantasList__NotNice(); } ``` We just added a check that `hasClaimed[msg.sender]` is `false` to execute the rest of the function, while removing the check on `balanceOf`. Once present is collected, either for `NICE` or `EXTRA_NICE` people, we update `hasClaimed[msg.sender]` to `true`. This will prevent user to call `collectPresent` function. If you run the previous test with this new implementation, it wail fail with the error `user already collected present`. Here is a new test that checks the new implementation works as desired: ``` function testCorrectCollectPresentImpl() external { vm.startPrank(santa); // Santa checks twice the user as EXTRA_NICE santasList.checkList(user, SantasList.Status.EXTRA_NICE); santasList.checkTwice(user, SantasList.Status.EXTRA_NICE); vm.stopPrank(); // It is Christmas time! vm.warp(1_703_480_381); vm.startPrank(user); // User collects 1 NFT + 1e18 SantaToken santasList.collectPresent(); // User sends the minted NFT to another wallet santasList.safeTransferFrom(user, makeAddr("secondWallet"), 0); vm.expectRevert("user already collected present"); santasList.collectPresent(); vm.stopPrank(); } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!