Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

[M-1] Collections created with activateNow = false cannot be activated later, causing permanent denial of service

demaxl

[M-1] Collections created with `activateNow = false` cannot be activated later, causing permanent denial of service

Description

The FestivalPass::createMemorabiliaCollection function allows organizers to create collections with an activateNow parameter that determines whether the collection is immediately active for redemption. However, there is no mechanism to activate collections that were created with activateNow = false. When a collection is created, the isActive field is set based on the activateNow parameter:

collections[collectionId] = MemorabiliaCollection({

name: name,

baseUri: baseUri,

priceInBeat: priceInBeat,

maxSupply: maxSupply,

currentItemId: 1,

@> isActive: activateNow

});

The FestivalPass::redeemMemorabilia function requires collections to be active:

require(collection.isActive, "Collection not active");

Since there's no function to modify the isActive state after creation, collections created with activateNow = false become permanently unusable.

Impact

Collections created with activateNow = false are permanently locked and cannot be used for their intended purpose. This creates a denial of service for organizers who intended to activate these collections later. The organizer must create new collections to achieve the same functionality, leading to wasted gas and potential confusion.

Proof of Concept

Organizer calls createMemorabiliaCollection with activateNow = false:

festivalPass.createMemorabiliaCollection("Future Collection", "ipfs://QmXXX", 100e18, 10, false);

Collection is created with isActive = false
Users attempt to redeem from the collection:
festivalPass.redeemMemorabilia(collectionId); // Reverts with "Collection not active"
No function exists to activate the collection, making it permanently unusable

Recommended Mitigation

Add a function to allow organizers to activate collections after creation:

function activateCollection(uint256 collectionId) external onlyOrganizer {

require(collections[collectionId].priceInBeat > 0, "Collection does not exist");

require(!collections[collectionId].isActive, "Collection already active");

collections[collectionId].isActive = true;

emit CollectionActivated(collectionId);

}

Additionally, consider adding a corresponding deactivateCollection function for complete control over collection states.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

createMemorabiliaCollection with isActive false for later usage - flow not properly implemented.

Low because an organizer can use it with active = true and organizer is trusted.

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.