Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Organizer Can Reset Supply After Minting

0xadwa

Description

The configurePass function allows the organizer to reset the passSupply to 0 at any time, even after passes have already been minted and distributed.

This does not burn or revoke already minted passes from users.

As a result, the actual number of passes in circulation (tracked by ERC1155 balances) will be out of sync with the passSupply variable.

passPrice[passId] = price;

passMaxSupply[passId] = maxSupply;

passSupply[passId] = 0; // Reset current supply

Risk :High: This is a critical logic bug that can break the contract’s supply guarantees and undermine user trust.

Likelihood: Medium

Impact

Supply Mismatch: The passSupply variable will no longer reflect the true number of passes in existence.

Potential Over-Minting: The organizer could set a new maxSupply and passSupply, allowing more passes to be minted than originally intended.

Loss of Integrity: The contract’s internal accounting becomes unreliable, which can lead to trust and operational issues.

Example Scenario

100 VIP passes are minted (passSupply[2] == 100).
Organizer calls configurePass(2, newPrice, 200), which resets passSupply[2] to 0.
The contract now thinks 0 VIP passes exist, but in reality, 100 are already in circulation.
Up to 200 more VIP passes could be minted, resulting in 300 total, far exceeding the intended cap.

Recommended Mitigation

Never reset passSupply in configurePass.

function configurePass(

uint256 passId,

uint256 price,

uint256 maxSupply

) external onlyOrganizer {

require(passId == GENERAL_PASS || passId == VIP_PASS || passId == BACKSTAGE_PASS, "Invalid pass ID");

require(price > 0, "Price must be greater than 0");

+ require(maxSupply >= passSupply[passId], "Max supply cannot be less than already minted supply");

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

configurePass resets the current pass supply circumventing the max supply check

This is not acceptable as high because any attack vectors related to organizer trying to milk ETH from participants is voided by the fact that the organizer is trusted.

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.