Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Missing Validation of beatToken Address

geeby

Root + Impact

Description

Describe the normal behavior in one or more sentences

Normally, the FestivalPass contract should interact securely with a trusted BEAT token contract to burn tokens when users redeem memorabilia.

Explain the specific issue or problem in one or more sentences

The constructor doesn’t validate the beatToken address. This means the contract can be deployed with a zero address or a malicious contract, breaking token logic or enabling unauthorized behavior like free NFT minting.

constructor(

address _beatToken,

string memory _uri

) ERC1155(_uri) {

@> beatToken = _beatToken;

// No validation on _beatToken. Could be address(0) or a malicious contract.

}

Risk

Likelihood:

Reason 1 // Describe WHEN this will occur (avoid using "if" statements)

This occurs during deployment when a wrong or malicious _beatToken address is passed.

Reason 2
No internal checks exist to prevent accidental misconfiguration or intentional abuse.

Impact:

Impact 1

Users may interact with a fake or non-functional BEAT token contract.

Impact 2

Token minting, burning, or transfer logic may behave unexpectedly, allowing economic loss or abuse.

Proof of Concept

how an attacker can deploy a malicious ERC20-like contract and deceive the FestivalPass contract into believing it's interacting with a legitimate token. The malicious contract fakes successful transfers, bypassing any actual value movement.

Malicious Token Contract

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.25;

contract FakeToken {

string public name = "FakeToken";

string public symbol = "FAKE";

uint8 public decimals = 18;

uint256 public totalSupply = 1e24;

mapping(address => uint256) public balanceOf;

constructor() {

balanceOf[msg.sender] = totalSupply;

}

function transfer(address to, uint256 amount) external returns (bool) {

// 👀 Doesn't actually transfer anything

return true;

}

function transferFrom(address from, address to, uint256 amount) external returns (bool) {

// 👀 Doesn't deduct any balance either

return true;

}

function approve(address spender, uint256 amount) external returns (bool) {

return true;

}

Deploy FestivalPass with Fake Token

FestivalPass fest = new FestivalPass(

address(fakeToken), // <- 👈 Fake token contract address

address(organizer),

uri

);

Call rewardUser or redeemMemorabilia

// Give organizer MINTER_ROLE and REWARD_MANAGER_ROLE

fest.grantRole(fest.MINTER_ROLE(), organizer);

fest.grantRole(fest.REWARD_MANAGER_ROLE(), organizer);

// Mint a Silver pass to the user

fest.mint(1, user); // 1 = Silver

// Call rewardUser

fest.rewardUser(user, 1000 ether); // Calls transfer() on FakeToken, which always returns true

// Call redeemMemorabilia

fest.redeemMemorabilia(1); // Silver

Result:

No real tokens transferred — but the contract logic assumes success.
User may appear to receive or burn tokens, but nothing actually happens on-chain in terms of value transfer.
This allows fake integrations, exploits, or trust abuse between FestivalPass and third-party systems relying on token movement.

Recommended Mitigation

In functions like rewardUser and redeemMemorabilia, the contract assumes token transfers succeed based on returned true without checking for actual behavior.

In rewardUser():

- remove this code

token.transfer(user, rewardAmount);

+ add this code

bool success = token.transfer(user, rewardAmount);

require(success, "BEAT token transfer failed");

In redeemMemorabilia():

- remove this code

token.transferFrom(msg.sender, address(this), requiredAmount);

+ add this code

bool success = token.transferFrom(msg.sender, address(this), requiredAmount);

require(success, "BEAT token transferFrom failed");

Updates

Lead Judging Commences

inallhonesty Lead Judge 29 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Zero address check

Owner/admin is trusted / Zero address check - Informational

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.