Beatland Festival

First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Submission Details
Impact: low
Likelihood: low
Invalid

Performance Duration Overflow — Unreachable Events

Performance Duration Overflow — Unreachable Events

Description

  • Normal behaviour: createPerformance() should create a performance that becomes active between startTime and startTime + duration.

  • Issue: The calculation endTime: startTime + duration can overflow if both values are large, wrapping around to a small timestamp. This makes isPerformanceActive() always return false since block.timestamp will never be ≤ the wrapped endTime.

// FestivalPass.sol
function createPerformance(uint256 startTime, uint256 duration, uint256 reward) external onlyOrganizer {
// ... validation ...
performances[performanceCount] = Performance({
startTime: startTime,
endTime: startTime + duration, // can overflow
baseReward: reward
});
}

Risk

Likelihood:

  • Organizer accidentally sets a very large duration value (e.g., meant to input seconds but used a larger unit).

  • Edge case with far-future startTime values.

Impact:

  • Performance becomes permanently unattendable, wasting organizer setup and user expectations.

  • Scheduled rewards become unredeemable.

Proof of Concept

function test_PerformanceOverflow() public {
uint256 largeStart = type(uint256).max - 1000;
uint256 largeDuration = 2000; // causes overflow
vm.prank(organizer);
uint256 perfId = festivalPass.createPerformance(largeStart, largeDuration, 100e18);
// Fast forward to what should be performance time
vm.warp(largeStart + 500);
// Performance appears inactive due to overflow
assertFalse(festivalPass.isPerformanceActive(perfId), "Overflow made performance unreachable");
}

Recommended Mitigation

function createPerformance(uint256 startTime, uint256 duration, uint256 reward) external onlyOrganizer {
require(startTime > block.timestamp, "Start time must be in the future");
require(duration > 0, "Duration must be greater than 0");
require(startTime <= type(uint256).max - duration, "Duration overflow");
performances[performanceCount] = Performance({
startTime: startTime,
endTime: startTime + duration,
baseReward: reward
});
// ...
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.