Submission Details
Severity:
Pass Supply Reset in configurePass()
Description
Resetting
passSupplyallows overselling passes.
function configurePass(
uint256 passId,
uint256 price,
uint256 maxSupply
) external onlyOrganizer {
require(passId == GENERAL_PASS || passId == VIP_PASS || passId == BACKSTAGE_PASS, "Invalid pass ID");
require(price > 0, "Price must be greater than 0");
require(maxSupply > 0, "Max supply must be greater than 0");
passPrice[passId] = price;
passMaxSupply[passId] = maxSupply;
@> passSupply[passId] = 0; // Reset current supply
}
Risk
Likelihood:
-
Organizer can accidentally/maliciously reset supply.
-
No technical barriers.
Impact:
-
Unlimited pass sales beyond maxSupply
-
fund theft.
Proof of Concept
function test_SupplyResetExploit() public {
// Set VIP pass: maxSupply=10
festivalPass.configurePass(VIP_PASS, 1 ether, 10);
// Buy 10 passes (sold out)
// ... purchasing logic ...
// Reset supply by reconfiguring
festivalPass.configurePass(VIP_PASS, 1 ether, 10);
// Buy 11th pass (should fail but succeeds)
vm.deal(user11, 1 ether);
vm.prank(user11);
festivalPass.buyPass{value: 1 ether}(VIP_PASS); // Succeeds!
}
Recommended Mitigation
function configurePass(uint256 passId, uint256 price, uint256 maxSupply) external onlyOrganizer {
+ require(maxSupply > passSupply[passId], "Max supply too low");
- passSupply[passId] = 0;
}
Updates
Lead Judging Commences
inallhonesty 26 days ago
Submission Judgement Published Assigned finding tags:
configurePass resets the current pass supply circumventing the max supply check
This is not acceptable as high because any attack vectors related to organizer trying to milk ETH from participants is voided by the fact that the organizer is trusted.
Rewards breakdown
nSLOC
234This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.