Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Missing Zero Address Validation in setFestivalContract Allows Permanent Token Bricking

r4y4n3

Root + Impact

Description

Normal Behavior:
The owner should be able to set the festival contract address once, and minting/burning should be possible by the festival contract.

Issue:
The setFestivalContract function does not validate that the provided _festival address is non-zero. If the owner sets the festival contract to the zero address, all minting and burning operations are permanently disabled, as only the zero address can call these functions (which is impossible).

function setFestivalContract(address _festival) external onlyOwner {

require(festivalContract == address(0), "Festival contract already set");

@> festivalContract = _festival; // No zero address check

}

Risk

Likelihood: High

The owner may accidentally set the zero address due to a typo or UI bug.
There is no way to recover from this mistake, as the function can only be called once.

Impact: High

All minting and burning operations are permanently disabled.
The token contract becomes unusable for its intended purpose.

Proof of Concept

This PoC demonstrates how the contract can be bricked by setting the festival contract to the zero address. After this, all minting and burning operations will revert, making the token unusable.

// As owner:

beatToken.setFestivalContract(address(0));

// Now, any call to mint or burnFrom will always revert:

beatToken.mint(user, 100); // reverts forever

beatToken.burnFrom(user, 100); // reverts forever

Recommended Mitigation

To prevent this, add a check to ensure the festival contract address is not zero before setting it. This guarantees the contract cannot be bricked by accident.

function setFestivalContract(address _festival) external onlyOwner {

- require(festivalContract == address(0), "Festival contract already set");

- festivalContract = _festival;

+ require(festivalContract == address(0), "Festival contract already set");

+ require(_festival != address(0), "Festival contract cannot be zero");

+ festivalContract = _festival;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Zero address check

Owner/admin is trusted / Zero address check - Informational

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.