Beatland Festival
First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: medium
Invalid

One Time setFestivalContract Lock May Limit

bitmark

Root + Impact

Description

The setFestivalContract function can only be called once — it locks the festivalContract address permanently after the first call. While this is useful for immutability, it introduces operational risk: the contract cannot be reused across multiple festivals or fixed if the target contract is buggy or replaced.

// function setFestivalContract(address _festival) external onlyOwner {
// require(festivalContract == address(0), "Festival contract already set"); // hard lock
// festivalContract = _festival;
//}

Risk

Likelihood

  • Owner may mistakenly or prematurely lock the address.

  • No mechanism exists to update the address post-deployment.

  • Realistic over long-term festivals or evolving backends.

Impact

  • Makes the system inflexible and fragile.

  • Requires contract redeployment for upgrades or bug fixes.

  • Could lock out BEAT token utility if misconfigured once.

Proof of Concept

beatToken.setFestivalContract(address(0x123)); // successful
// Later realization of mistake:
beatToken.setFestivalContract(address(0x999)); // reverts permanently
//Even the contract owner cannot fix this without deploying a new token contract.

Recommended Mitigation

- require(festivalContract == address(0), "Festival contract already set");
+ require(_festival != address(0), "Invalid festival address");
+ festivalContract = _festival;
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

`setFestivalContract` only callable once

This is intended. It's done like that because the festival contract requires beat token's address and vice versa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.