Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Irrevocable Festival Contract

b_juhir

Root + Impact

DESCRIPTION:

Normal Behavior:
The owner sets the festivalContract, which will be responsible for minting and burning tokens for festival-related operations.
Issue:
The contract enforces a one-time-only setting of festivalContract via require(festivalContract == address(0)). If the first assigned festival contract is wrong, buggy, or later compromised, there is no recovery mechanism, leaving minting and burning permanently unusable.

function setFestivalContract(address _festival) external onlyOwner {

@> require(festivalContract == address(0), "Festival contract already set");

festivalContract = _festival;

}

Risk

Likelihood:

The festival contract will eventually be upgraded or changed in real-world scenarios.
A compromised or buggy festival contract will render minting/burning permanently unavailable because the owner cannot reset it.

Impact:

The token could become unusable for festival operations if the festival contract fails.
Users might lose trust in the token due to an inability to recover from operational failures.Proof of Concept

Proof of Concept :

// Step 1: Owner sets an incorrect or buggy festival contract

beatToken.setFestivalContract(0xDeadBuggyAddress);

// Step 2: Owner later tries to update to a correct contract

beatToken.setFestivalContract(0xNewCorrectAddress);

// Step 3: Transaction reverts

// Error: "Festival contract already set"

// As a result, mint() and burnFrom() can never be used with the new contract.

Recommended Mitigation

Allowing the owner to update the festival contract ensures the system can recover from operational failures. Emitting an event improves transparency for off-chain monitoring.

This ensures that even if the initial festival contract is compromised or lost, the token remains functional by migrating to a new secure contract.

+ event FestivalContractUpdated(address oldFestival, address newFestival);

- require(festivalContract == address(0), "Festival contract already set");

+ function updateFestivalContract(address _festival) external onlyOwner {

+ require(_festival != address(0), "Invalid festival address");

+ emit FestivalContractUpdated(festivalContract, _festival);

+ festivalContract = _festival;

+ }

Updates

Lead Judging Commences

inallhonesty Lead Judge 25 days ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

`setFestivalContract` only callable once

This is intended. It's done like that because the festival contract requires beat token's address and vice versa.

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.