Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

[M-4] Invalid Type for `beatToken` in Contract State

shahraj2605

Description

The state variable `beatToken` is declared as an address, which is valid for storing any Ethereum address, including token contract addresses. However, if the variable is intended to represent an ERC-20 token, it should reference an ERC-20 contract interface to facilitate interaction with the token’s methods.

```javascript

address public beatToken;

```

Potential Problem:

If you want to interact with an ERC-20 token, you need to use the ERC-20 token interface, which would look like:

```javascript

IERC20 public beatToken;

```

This allows the contract to call ERC-20 functions such as transfer(), approve(), and balanceOf().

Risk

Impact:

Cannot call ERC-20 token methods on the beatToken.

The contract may not function as intended for token transfers.

Proof of Concept

Demonstrates improper typing blocks standard ERC-20 calls:

```javascript

function testBeatTokenBlocksERC20Call() public {

// Very minimal dummy interface

address wrong = address(festivalPass.beatToken());

// Expect compile-time or revert

(bool success, ) = wrong.call(

abi.encodeWithSignature("balanceOf(address)", address(this))

);

assertTrue(!success, "balanceOf should not exist on raw address");

}

```

This verifies the need for the IERC20 interface for direct calls. Using a raw address causes failure.

=> Current Contract Example:

The contract is using address beatToken but expects token-related functions like transfer().

```javascript

function transferBeatToken(address recipient, uint256 amount) public {

beatToken.transfer(recipient, amount); // Error: address does not have `transfer()` method

}

```

This will fail because an address type cannot call the transfer method, which is only available to IERC20 interfaces.

=> Real-World Risk

Functionality Breakdown: The contract will not be able to call functions like transfer(), balanceOf(), etc., on the beatToken, causing functionality to break.

User Experience: Users will not be able to interact with the beatToken properly, leading to failed transactions or logic issues.

Recommended Mitigation

You need to declare beatToken as an interface of the ERC-20 token, so that its methods can be invoked properly. Example fix:

```javascript

// In the top of contract import part you have to import following:

import "@openzeppelin/contracts/token/ERC20/IERC20.sol";

```

```diff

- address public beatToken;

+ IERC20 public beatToken;

```

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Too generic

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.