BeatToken: Festival Contract Address Can Only Be Set Once
Root + Impact
Description
-
The setFestivalContract(address _festival) function allows the owner to set the address of the festival contract that can mint and burn BEAT tokens.
Explain the specific issue:
The function can only be called once, as it checks require(festivalContract == address(0), "Festival contract already set");.
This means the token contract cannot be reused for future festivals, and if the festival contract is upgraded or redeployed due to a bug, the token contract becomes unusable.
If the festival contract is compromised or lost, there is no way to recover mint/burn functionality.
Risk
Likelihood:
This will occur if the festival contract needs to be upgraded or redeployed due to a bug or vulnerability.
This will occur if the owner makes a mistake during deployment and sets the wrong address.
This will occur if the festival is intended to be a recurring event, but the token contract cannot be reused.
This will occur if the festival contract is compromised and needs to be replaced.
Impact:
BEAT token contract becomes locked and unusable for future events.
Loss of flexibility for contract upgrades or bug fixes.
Potential loss of all BEAT token utility if the festival contract is lost or compromised.
Users may lose trust in the platform due to inability to upgrade or recover from mistakes.
Proof of Concept
Recommended Mitigation
Lead Judging Commences
`setFestivalContract` only callable once
This is intended. It's done like that because the festival contract requires beat token's address and vice versa.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.