Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: medium

Invalid

Missing Zero-Address Check in Role Assignment Can Brick Protocol

ishwar

Root + Impact

Description

The contract is intended to maintain strong administration by only permitting privileged roles, such as Organizer, to control sensitive functions.
However, there is no check preventing privileged roles from being set to the zero address. Assigning zero addresses can disable critical protocol functions or result in permanent fund loss, bricking contract functionality.

function setOrganizer(address _organizer) external onlyOwner {

organizer = _organizer; //@>

}

// The same pattern recurs in FestivalPass.withdraw(target), BeatToken.setFestivalContract(address), and the FestivalPass constructor.

Risk

Likelihood:

A mistake, such as a typo or copy-paste error, frequently results in a zero address being submitted during role or destination changes.
The lack of validation means any call with a zero address will leave the contract in an irrecoverable or dangerous state.

Impact:

Assigning the zero address to a privileged role disables all functions that require that role and may prevent administrative recovery.
Sending contract funds to the zero address through an unchecked withdrawal permanently destroys ETH/Tokens.

Proof of Concept

festivalPass.setOrganizer(address(0));

// The Organizer role is now irretrievable and protocol admin functionality is lost.

festivalPass.withdraw(address(0));

// All ETH is sent to the zero address, resulting in unrecoverable protocol funds.

Recommended Mitigation

-function setOrganizer(address _organizer) external onlyOwner {

- organizer = _organizer;

+function setOrganizer(address _organizer) external onlyOwner {

+ require(_organizer != address(0), "Organizer is zero address");

+ organizer = _organizer;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Zero address check

Owner/admin is trusted / Zero address check - Informational

Appeal created

ishwar Submitter

about 1 month ago

inallhonesty Lead Judge

about 1 month ago

ishwar Submitter

about 1 month ago

inallhonesty Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Zero address check

Owner/admin is trusted / Zero address check - Informational

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.