Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

[M-2] Missing validation for address(0) in `Constructor`

shahraj2605

Description

In the `FestivalPass` contract, the constructor accepts two parameters: `_beatToken` and `_organizer`.

However, there is no validation to ensure that these addresses are not the zero address (address(0)),

which could lead to critical operational failures.

```javascript

constructor(address _beatToken, address _organizer) ERC1155("ipfs://beatdrop/{id}") Ownable(msg.sender){

setOrganizer(_organizer); // No check for address(0)

beatToken = _beatToken; // No check for address(0)

}

```

If either value is mistakenly set to address(0), it can lead to:

Loss of control (e.g., if organizer is set to zero address, no one can call onlyOrganizer functions).

Token operations failure (e.g., beatToken.mint() will fail if beatToken == address(0)).

Risk

Impact:

Risk: Dos(Denial Of Service), Misconfiguration

1. `attendPerformance()` and `buyPass()` will revert when calling `BeatToken(beatToken).mint(...)` if beatToken is not set properly.

2. Any call gated by onlyOrganizer will be inaccessible if `_organizer` is address(0).

Proof of Concept

1. Deploy FestivalPass with _beatToken = address(0) and _organizer = address(0).

2. Try to:

1. Call buyPass() → fails on mint due to invalid address.

2. Call configurePass() → reverts with "Only organizer can call this".

3. Organizer functions are inaccessible. Minting BEAT will revert.

Demonstrates that using address(0) configures a broken contract with no organizer and no token interactions.

Put following test in `FestivalPass.t.sol`

```javascript

function testConstructorAllowsZeroAddresses() public {

BeatToken bt = new BeatToken();

FestivalPass fp = new FestivalPass(address(0), address(0));

assertEq(fp.beatToken(), address(0));

assertEq(fp.organizer(), address(0));

// Calling functions should now revert

vm.prank(user1);

vm.expectRevert("Only organizer can call this");

fp.configurePass(1, 1, 1);

}

```

This confirms the constructor allowed both addresses to be uninitialized—leading to no functioning control or token minting.

Recommended Mitigation

```diff

constructor(address _beatToken, address _organizer) ERC1155("ipfs://beatdrop/{id}") Ownable(msg.sender) {

+ require(_beatToken != address(0), "Invalid BEAT token address");

+ require(_organizer != address(0), "Invalid organizer address");

beatToken = _beatToken;

setOrganizer(_organizer);

}

```

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Zero address check

Owner/admin is trusted / Zero address check - Informational

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.