Normal behaviour: The owner calls setFestivalContract()
once to authorise the FestivalPass
contract to mint/burn BEAT tokens.
Issue: The function guards against re-assignment but not against setting the address to zero. If the owner mistakenly passes address(0)
, the token is permanently bricked because the setter can only be invoked when festivalContract == address(0)
.
Likelihood:
Deployment scripts might forget to supply the argument, defaulting to zero.
Manual invocation could be typo-ed.
Impact:
No contract is authorised to call mint
or burnFrom
⇒ BEAT utility is lost.
Requires redeploying the token and migrating balances.
Owner/admin is trusted / Zero address check - Informational
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.