Beatland Festival

First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Submission Details
Impact: high
Likelihood: high
Invalid

Irreversible festivalContract Setting


Description

The festivalContract can be set only once due to this check:

// require(festivalContract == address(0), "Festival contract already set");Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

  • If the owner mistakenly sets the wrong address, the function becomes unusable forever, leading to a locked system.

Impact:

  • Impact 1: Permanent locking of mint/burn features if incorrect address is set.

  • Impact 2: No flexibility for contract upgrades or emergency changes.

Proof of Concept

// Owner mistakenly sets wrong address
beat.setFestivalContract(0xDEAD...);
// No way to change it again
beat.setFestivalContract(0xCORRECT); // reverts

Recommended Mitigation

Consider allowing the owner to update it with proper authorization:

function updateFestivalContract(address _new) external onlyOwner {

require(_new != address(0), "Zero address");

festivalContract = _new;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

`setFestivalContract` only callable once

This is intended. It's done like that because the festival contract requires beat token's address and vice versa.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.