Competitive Audits
First Flights
Leaderboard
Docs
Toggle theme
Sign up
Log in
All First Flights
Santa's List
Submissions
AI First Flight
Santa's List
AI First Flight #3
Beginner Friendly
Foundry
EXP
AI First Flight
EXP
Apr 6th, 2026 → Apr 6th, 2026
View repo
View results
8 / 8
Submissions
Severity
Validity
Tags
Author
#1
Status enum default value is NICE, allowing any unchecked address to collect a present by exploiting the default mapping value
High
Valid
[H-02] All addresses are co...
virgilbb
#2
checkList() missing onlySanta modifier allows any address to mark themselves NICE and collect a present NFT
High
Valid
[H-01] Anyone is able to ca...
virgilbb
#3
buyPresent() burns tokens from the presentReceiver instead of the caller, then mints the NFT to the caller, enabling theft of any user's SantaTokens
High
Valid
[H-03] SantasList::buyPrese...
virgilbb
#4
buyPresent() always mints the NFT to msg.sender instead of presentReceiver, so the intended recipient never receives the gift
High
Valid
[H-03] SantasList::buyPrese...
virgilbb
#5
collectPresent() is reentrant via _safeMint's onERC721Received callback, allowing a malicious contract to collect multiple presents
High
Valid
[H-04] Any `NICE` or `EXTRA...
virgilbb
#6
A forked solmate ERC20 used by SantaToken contains a hardcoded backdoor address that can transfer any holder's tokens without approval
High
Valid
[H-05] Malicious Code Injec...
virgilbb
#7
testPwned() uses Foundry FFI to execute arbitrary shell commands on any machine that runs the test suite, enabling code execution, data exfiltration, and system destruction
High
Valid
[H-06] Malicious Test poten...
virgilbb
#8
SantaToken.burn() hardcodes 1e18 but buyPresent() should burn 2e18 (PURCHASED_PRESENT_COST), letting users buy presents at half price and for themselves
Medium
Valid
[M-01] Cost to buy NFT via ...
virgilbb
Previous
1
Next
Support
FAQs
Can't find an answer? Chat with us on Discord, Twitter or Linkedin.
What is Cyfrin CodeHawks?
What is a competitive audit?
How can I host a competition on CodeHawks?
How is a contest prize pool determined?
How do I get rewarded?
What is a First Flight?
Give us feedback!
