Beatland Festival
First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Memorabilia Collection isActive Flag Lacks Update Mechanism

bigchapo21

The createMemorabiliaCollection function allows the onlyOrganizer to define new types of memorabilia NFTs, including their initial active status via the activateNow boolean. The redeemMemorabilia function allows users to redeem these NFTs, but only if the collection's isActive flag is set to true.


The specific issue is that once a MemorabiliaCollection is created, there is no subsequent function available to change its isActive status. This means if a collection is created as inactive, it can never be activated, and if created as active, it can never be deactivated or paused.


Root Cause:

In FestivalPass.sol, the isActive flag for a MemorabiliaCollection is set only once during its creation via the activateNow parameter in the createMemorabiliaCollection function. There is no separate function provided that allows the onlyOrganizer (or onlyOwner) to change the isActive status of an existing collection after it has been created.

// Create a new memorabilia collection
function createMemorabiliaCollection(
string memory name,
string memory baseUri,
uint256 priceInBeat,
uint256 maxSupply,
bool activateNow
) external onlyOrganizer returns (uint256) {
require(priceInBeat > 0, "Price must be greater than 0");
require(maxSupply > 0, "Supply must be at least 1");
require(bytes(name).length > 0, "Name required");
require(bytes(baseUri).length > 0, "URI required");
uint256 collectionId = nextCollectionId++;
collections[collectionId] = MemorabiliaCollection({
name: name,
baseUri: baseUri,
priceInBeat: priceInBeat,
maxSupply: maxSupply,
currentItemId: 1, // Start item IDs at 1
isActive: activateNow
});

Risk

Likelihood:

  1. This will occur when an onlyOrganizer calls createMemorabiliaCollection and sets activateNow to false, inadvertently making the collection permanently unusable.

  2. This will also occur when an onlyOrganizer calls createMemorabiliaCollection and sets activateNow to true, but later requires the ability to pause or deactivate the collection, which is not possible.

Impact:

  1. The protocol and its Organizer suffer a functional Denial of Service (DoS) for specific memorabilia collections, as they can become permanently inaccessible if created as inactive.

  2. The protocol and its Organizer suffer a lack of critical operational control, as they cannot pause or resume active collections, hindering their ability to respond to market changes, perform maintenance, or address issues.

Proof of Concept

Recommended Mitigation

Add a dedicated function, callable by an authorized role (e.g., onlyOrganizer), to update the isActive status of an existing memorabilia collection. This provides necessary operational flexibility.
// Add this new function:
+ function setMemorabiliaCollectionActiveStatus(uint256 collectionId, bool status) external onlyOrganizer {
+ // Ensure the collection exists before trying to modify it
+ // A simple check like requiring maxSupply > 0 or checking if collectionId exists in a mapping
+ require(collections[collectionId].maxSupply > 0, "Collection does not exist");
+ collections[collectionId].isActive = status;
+ emit CollectionStatusUpdated(collectionId, status);
+ }
// Add a new event for clarity:
+ event CollectionStatusUpdated(uint256 indexed collectionId, bool isActive);
Updates

Lead Judging Commences

inallhonesty Lead Judge 27 days ago
Submission Judgement Published
Validated
Assigned finding tags:

createMemorabiliaCollection with isActive false for later usage - flow not properly implemented.

Low because an organizer can use it with active = true and organizer is trusted.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.