FestivalPass: No Supply Cap on Memorabilia Collections (Off-by-One Error)
Root + Impact
Description
-
The redeemMemorabilia function allows users to redeem memorabilia NFTs from a collection, incrementing currentItemId each time.
Explain the specific issue:
The check for sold out is require(collection.currentItemId < collection.maxSupply, "Collection sold out");, but since currentItemId starts at 1, the last item in the collection will never be redeemable (off-by-one error).
This means that for a collection with maxSupply = 5, only items 1-4 can be redeemed, and item 5 is never available.
Users may be unable to claim all advertised memorabilia, leading to confusion and loss of trust.
Risk
Likelihood:
This will occur every time a collection is created and users try to redeem the last item.
This will occur if the collection is popular and all items are claimed.
This will occur if users or organizers do not notice the off-by-one error.
This will occur if the contract is forked or reused without fixing the logic.
Impact:
The last item in every collection is never redeemable.
Users may be unable to claim all advertised memorabilia.
Organizers may face user complaints and loss of trust.
The contract may require emergency migration or upgrade.
Proof of Concept
Recommended Mitigation
Lead Judging Commences
Off by one error in redeemMemorabilia
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.