Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Unrestricted Burning by Festival Contract Allows Arbitrary Token Destruction

r4y4n3

Root + Impact

Description

The burnFrom function allows the festival contract to burn tokens from any address, at any time, for any amount, without the token holder’s approval. This bypasses the standard ERC20 allowance mechanism and exposes all users to the risk of having their tokens destroyed arbitrarily. If the festival contract is compromised or buggy, it can wipe out any user’s balance, leading to loss of funds and trust.

function burnFrom(address from, uint256 amount) external {

require(msg.sender == festivalContract, "Only_Festival_Burn");

@> _burn(from, amount); // No user approval required

}

Risk

Likelihood:

The festival contract is a single point of trust; compromise or bugs in this contract will allow an attacker to burn tokens from any user.
No user approval or restriction exists, so a single malicious or erroneous call can destroy user funds.

Impact:

The attacker can burn all tokens from any user, resulting in direct loss of funds.
The protocol’s reputation and user trust are severely damaged.

Proof of Concept

The following code demonstrates how a malicious or compromised festival contract can burn all tokens from a victim, proving there is no restriction or approval required.

beatToken.burnFrom(victim, beatToken.balanceOf(victim));

// Victim's balance is now zero.

Recommended Mitigation

Require user approval (using the ERC20 allowance mechanism) before burning tokens from their account, or restrict burning so that only the token holder can burn their own tokens.

function burnFrom(address from, uint256 amount) external {

// Only the festival contract can call this function

require(msg.sender == festivalContract, "Only_Festival_Burn");

// If the burn is not initiated by the token owner directly,

// require that msg.sender (the caller) has allowance from 'from'

if (from != msg.sender) {

// Spend allowance as per ERC20 standard to prevent unauthorized burns

_spendAllowance(from, msg.sender, amount);

}

// Burn the specified amount of tokens from the 'from' address

_burn(from, amount);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 24 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.