Beatland Festival
First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

No Zero Address Check for Organizer Bricks FestivalPass

r4y4n3

Root + Impact

Description

  • The contract does not validate that the organizer address is nonzero when calling setOrganizer or in the constructor. If the owner sets the organizer to the zero address, all organizer-only functions become permanently unusable, bricking core contract functionality such as configuring passes, creating performances, and managing memorabilia.

// FestivalPass.sol
function setOrganizer(address _organizer) public onlyOwner {
@> organizer = _organizer;
}

Risk

Likelihood:

  • The owner can accidentally or maliciously set the organizer to the zero address at any time.

  • This can occur during deployment or later via setOrganizer.

Impact:

  • All organizer-only functions revert forever, making the contract unusable for its intended purpose.

  • The project and its users are permanently locked out of critical features.

Proof of Concept

If the organizer is set to the zero address, any call to an organizer-only function will revert, bricking the contract’s main features.

function test_OrganizerZeroAddressBricksContract() public {
// Owner sets organizer to zero address
festival.setOrganizer(address(0));
// All organizer-only functions are now permanently unusable
vm.expectRevert();
festival.configurePass(1, 0.1 ether, 2);
}

Recommended Mitigation

To prevent this, always validate that the organizer address is not zero in both the constructor and setOrganizer:

- function setOrganizer(address _organizer) public onlyOwner {
- organizer = _organizer;
- }
+ function setOrganizer(address _organizer) public onlyOwner {
+ require(_organizer != address(0), "Invalid organizer address");
+ organizer = _organizer;
+ }
- constructor(address _beatToken, address _organizer) ERC1155("ipfs://beatdrop/{id}") Ownable(msg.sender){
- setOrganizer(_organizer);
- beatToken = _beatToken;
- }
+ constructor(address _beatToken, address _organizer) ERC1155("ipfs://beatdrop/{id}") Ownable(msg.sender){
+ require(_organizer != address(0), "Invalid organizer address");
+ organizer = _organizer;
+ beatToken = _beatToken;
+ }
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Zero address check

Owner/admin is trusted / Zero address check - Informational

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.