Beatland Festival
First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

Zero-Address Organizer — Self-Inflicted DoS

rootkit677

Zero-Address Organizer — Self-Inflicted DoS

Description

  • Normal behaviour: organizer governs pass configuration and performance scheduling via onlyOrganizer functions.

  • Issue: setOrganizer(_organizer) allows address(0). Setting the organizer to the zero address disables every onlyOrganizer call, freezing core functionality until the owner fixes it.

function setOrganizer(address _organizer) public onlyOwner {
@> organizer = _organizer; // no zero-address guard
}

Risk

Likelihood:

  • Owner might deploy with a placeholder value or fat-finger a UI input.

  • Griefing owner could deliberately set to zero.

Impact:

  • buyPass pricing, createPerformance, and all pass management become unusable.

  • Requires another owner transaction to recover; if owner key is lost, the contract is permanently frozen.

Proof of Concept

festivalPass.setOrganizer(address(0)); // succeeds
festivalPass.configurePass(1, 0.1 ether, 1000); // reverts "Only organizer"

Recommended Mitigation

function setOrganizer(address _organizer) public onlyOwner {
+ require(_organizer != address(0), "Zero organizer");
organizer = _organizer;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Zero address check

Owner/admin is trusted / Zero address check - Informational

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.