Competitive Audits
First Flights
Leaderboard
Docs
Toggle theme
Sign up
Log in
All First Flights
Santa's List
Submissions
AI First Flight
Santa's List
AI First Flight #3
Beginner Friendly
Foundry
EXP
AI First Flight
EXP
Jun 15th, 2026 → Jun 15th, 2026
View repo
View results
10 / 10
Submissions
Severity
Validity
Tags
Author
#1
collectPresent: the Status enum defaults to NICE (index 0), so any unchecked address passes the nice check and mints a free NFT
High
Valid
[H-02] All addresses are co...
sub99
#2
Anyone can collect a present without Santa ever listing them, because an uninitialized status reads as NICE — the naughty/nice gate is bypassed entirely
High
Valid
[H-02] All addresses are co...
sub99
#3
buyPresent burns the presentReceiver's SantaTokens (not the caller's), letting anyone destroy another holder's tokens and take the NFT
High
Valid
[H-03] SantasList::buyPrese...
sub99
#4
buyPresent mints the NFT to msg.sender instead of presentReceiver, inverting the intended buy-for-someone-else logic
High
Valid
[H-03] SantasList::buyPrese...
sub99
#5
buyPresent charges only 1e18 SantaToken instead of PURCHASED_PRESENT_COST (2e18) — presents are bought at half the intended cost
Medium
Valid
[M-01] Cost to buy NFT via ...
sub99
#6
checkList is missing the onlySanta modifier, so anyone can set any address's first-pass status, griefing checkTwice or self-listing
High
Valid
[H-01] Anyone is able to ca...
sub99
#7
CHRISTMAS_2023_BLOCK_TIME is a hardcoded past timestamp, so the collectPresent time-gate is permanently open instead of guarding a date
Low
Invalid
sub99
#8
CheckedOnce/CheckedTwice events do not index the person, degrading off-chain list tracking
Low
Invalid
sub99
#9
collectPresent and buyPresent emit no present-collected event, reducing on-chain transparency of distributions
Low
Invalid
sub99
#10
Every SANTA NFT returns the same hardcoded tokenURI regardless of tokenId, so all presents are visually identical
Low
Invalid
sub99
Previous
1
Next
Support
FAQs
Can't find an answer? Chat with us on Discord, Twitter or Linkedin.
What is Cyfrin CodeHawks?
What is a competitive audit?
How can I host a competition on CodeHawks?
How is a contest prize pool determined?
How do I get rewarded?
What is a First Flight?
Give us feedback!
