Santa's List
AI First Flight #3
Beginner FriendlyFoundry
EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: medium
Invalid

`SantaToken.sol` uses fixed `1e18` without checking balance

arush

[H-4] SantaToken.sol uses fixed 1e18 without checking balance

Description

  • burn in SantaToken always attempts to burn exactly 1e18 tokens regardless of how many tokens the target address actually holds. Solmate's _burn will underflow-revert if the balance is insufficient (since Solidity 0.8), but the real issue here is in combination with H-2: the burn targets presentReceiver rather than msg.sender. A user with 0 tokens can never be burned directly, but a victim with exactly 1e18 tokens loses their entire balance in one call.

function burn(address from) external {
if (msg.sender != i_santasList) revert SantaToken__NotSantasList();
_burn(from, 1e18); // @audit hardcoded amount, no balance check, wrong target (see H-2)
}

Risk

Likelihood:

  • always triggered when buyPresent is called (see C-2 for the attacker path).

Impact:

  • Victim's full token balance wiped with no recourse.

  • No partial-burn logic possible; inflexible for any future tokenomics change.

Recommended Mitigation

Pass the burn amount as a parameter, validate the caller holds sufficient balance, and (fixing C-2 simultaneously) burn from the caller.

- function burn(address from) external {
+ function burn(address from, uint256 amount) external {
if (msg.sender != i_santasList) revert SantaToken__NotSantasList();
+ require(balanceOf[from] >= amount, "Insufficient balance");
- _burn(from, 1e18);
+ _burn(from, amount);
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!