Santa's List

AI First Flight #3

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[H-01] Missing onlySanta Modifier in checkList Allows Anyone to Modify First Pass Status and Cause DoS

nasdalihin

Root + Impact

Description

The intended design of the protocol dictates that Santa (i_santa) should be the sole entity authorized to perform the initial status screening (NICE, EXTRA_NICE, or NAUGHTY) of an address via the checkList function.
However, the checkList function completely lacks the onlySanta modifier or any alternative access control mechanism. This omission allows any external malicious actor to call the function and overwrite the status stored inside the s_theListCheckedOnce mapping. Consequently, when Santa attempts to finalize the evaluation using checkTwice, the transaction will inevitably revert due to the strict validation check requiring the first and second statuses to match. This results in a permanent Denial of Service (DoS) for legitimate users trying to collect their holiday rewards.

// src/SantasList.sol

//@> Missing onlySanta access control modifier here

function checkList(address person, Status status) external {

s_theListCheckedOnce[person] = status;

emit CheckedOnce(person, status);

}

Risk

Likelihood:

Any unprivileged user calls the public checkList function directly with an arbitrary target address and an incorrect status parameter.
An attacker front-runs Santa's legitimate checkList transactions monitored in the public mempool to preemptively alter a user's initial status.

Impact:

Denial of Service (DoS): Santa is completely blocked from successfully executing checkTwice for targeted users because the condition s_theListCheckedOnce[person] != status will always evaluate to true, forcing a contract revert.
Affected users are permanently barred from successfully executing collectPresent to claim their designated NFTs or SantaToken rewards since their status can never be populated in the s_theListCheckedTwice validation mapping.

Proof of Concept

Santa intends to mark Alice as Status.NICE by initiating a transaction to checkList(Alice, Status.NICE).
An attacker observes this and either front-runs Santa or directly calls checkList(Alice, Status.NAUGHTY).
The storage state of s_theListCheckedOnce[Alice] is successfully overwritten to Status.NAUGHTY without requiring any signature from Santa.
Santa subsequent attempt to confirm the record by executing checkTwice(Alice, Status.NICE) fails instantly.
The execution reverts with the custom error SantasList__SecondCheckDoesntMatchFirst(). Alice's record is effectively corrupted, and she can never retrieve her gifts.

function testAttackCheckListAllowsAnyoneToCall() public {

address attacker = makeAddr("attacker");

address victim = makeAddr("victim");

// Attacker calls checkList directly without being Santa

vm.prank(attacker);

santasList.checkList(victim, SantasList.Status.NAUGHTY);

// Assert that the attacker successfully manipulated the list state

assertEq(uint256(santasList.getNaughtyOrNiceOnce(victim)), uint256(SantasList.Status.NAUGHTY));

}

Recommended Mitigation

Apply the missing onlySanta modifier to the checkList function to restrict access exclusively to the authorized Santa deployer address, mirroring the access control configuration of checkTwice.

- function checkList(address person, Status status) external {

+ function checkList(address person, Status status) external onlySanta {

s_theListCheckedOnce[person] = status;

emit CheckedOnce(person, status);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 2 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Anyone is able to call `checkList` function in SantasList contract and prevent any address from becoming `NICE` or `EXTRA_NICE` and collect present.

## Description With the current design of the protocol, anyone is able to call `checkList` function in SantasList contract, while documentation says only Santa should be able to call it. This can be considered as an access control vulnerability, because not only santa is allowed to make the first check. ## Vulnerability Details An attacker could simply call the external `checkList` function, passing as parameter the address of someone else and the enum Status `NAUGHTY`(or `NOT_CHECKED_TWICE`, which should actually be `UNKNOWN` given documentation). By doing that, Santa will not be able to execute `checkTwice` function correctly for `NICE` and `EXTRA_NICE` people. Indeed, if Santa first checked a user and assigned the status `NICE` or `EXTRA_NICE`, anyone is able to call `checkList` function again, and by doing so modify the status. This could result in Santa unable to execute the second check. Moreover, any malicious actor could check the mempool and front run Santa just before calling `checkTwice` function to check users. This would result in a major denial of service issue. ## Impact The impact of this vulnerability is HIGH as it results in a broken mechanism of the check list system. Any user could be declared `NAUGHTY` for the first check at any time, preventing present collecting by users although Santa considered the user as `NICE` or `EXTRA_NICE`. Santa could still call `checkList` function again to reassigned the status to `NICE` or `EXTRA_NICE` before calling `checkTwice` function, but any malicious actor could front run the call to `checkTwice` function. In this scenario, it would be impossible for Santa to actually double check a `NICE` or `EXTRA_NICE` user. ## Proof of Concept Just copy paste this test in SantasListTest contract : ``` function testDosAttack() external { vm.startPrank(makeAddr("attacker")); // any user can checList any address and assigned status to naughty // an attacker could front run Santa before the second check santasList.checkList(makeAddr("user"), SantasList.Status.NAUGHTY); vm.stopPrank(); vm.startPrank(santa); vm.expectRevert(); // Santa is unable to check twice the user santasList.checkTwice(makeAddr("user"), SantasList.Status.NICE); vm.stopPrank(); } ``` ## Recommendations I suggest to add the `onlySanta` modifier to `checkList` function. This will ensure the first check can only be done by Santa, and prevent DOS attack on the contract. With this modifier, specification will be respected : "In this contract Only Santa to take the following actions: - checkList: A function that changes an address to a new Status of NICE, EXTRA_NICE, NAUGHTY, or UNKNOWN on the original s_theListCheckedOnce list." The following code will resolve this access control issue, simply by adding `onlySanta` modifier: ``` function checkList(address person, Status status) external onlySanta { s_theListCheckedOnce[person] = status; emit CheckedOnce(person, status); } ``` No malicious actor is now able to front run Santa before `checkTwice` function call. The following tests shows that doing the first check for another user is impossible after adding `onlySanta` modifier: ``` function testDosResolved() external { vm.startPrank(makeAddr("attacker")); // checklist function call will revert if a user tries to execute the first check for another user vm.expectRevert(SantasList.SantasList__NotSanta.selector); santasList.checkList(makeAddr("user"), SantasList.Status.NAUGHTY); vm.stopPrank(); } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!