Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: medium

Invalid

Lack of Emergency Controls (Pause Mechanism) in BeatToken

r4y4n3

Root + Impact

Description

BeatToken does not implement a pause mechanism. The owner cannot halt minting or burning, even if a vulnerability or exploit is discovered. This is against best practices for ERC20 tokens.

// @> BeatToken.sol

contract BeatToken is ERC20, Ownable2Step {

// @> No Pausable inheritance or pause logic

function mint(address to, uint256 amount) external {

// @> No whenNotPaused modifier

...

}

function burnFrom(address from, uint256 amount) external {

// @> No whenNotPaused modifier

...

}

Risk

Likelihood:

When a bug, exploit, or abuse is discovered, the owner cannot stop further damage.
All critical functions remain callable at all times.

Impact:

Unlimited token minting or burning is possible.
User funds and project reputation are at risk.

Proof of Concept

Without a pause mechanism, any vulnerability in mint() or burnFrom() can be exploited continuously, as the contract owner cannot intervene to halt these operations.

// If a bug is found in mint() or burnFrom(), the owner cannot stop attackers from minting unlimited BEAT tokens or burning tokens from any address.

Recommended Mitigation

Add OpenZeppelin’s Pausable and use the whenNotPaused modifier on sensitive functions, allowing the owner to pause all minting and burning operations in emergencies.

- contract BeatToken is ERC20, Ownable2Step {

+ import "@openzeppelin/contracts/security/Pausable.sol";

+ contract BeatToken is ERC20, Ownable2Step, Pausable {

...

+ function pause() external onlyOwner { _pause(); }

+ function unpause() external onlyOwner { _unpause(); }

- function mint(address to, uint256 amount) external {

+ function mint(address to, uint256 amount) external whenNotPaused {

...

}

- function burnFrom(address from, uint256 amount) external {

+ function burnFrom(address from, uint256 amount) external whenNotPaused {

...

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.