Beatland Festival
First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Uncapped Minting Logic via createMemorabiliaCollection()

viveksh0062

Root + Impact

Description

  • The createMemorabiliaCollection() function allows organizers to define new NFT collections. However, there is no interface-level constraint on:

    • How many collections can be created

    • Maximum size of each collection (beyond maxSupply)

    • Validations on base URI uniqueness or overlap


    If the implementation fails to impose strict controls, an attacker with organizer privileges (or via compromised ownership) could create thousands of collections, each with large maxSupply values.

// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Impact:

  • Denial of Service due to extreme storage usage

  • State bloat, pushing the contract towards the 24KB contract size limit

  • Token ID collision if shifting logic (collectionId << 128) + itemId isn't properly bounded

  • Potential bypass of marketplace indexing, URI abuse

Proof of Concept

for (uint256 i = 0; i < 10000; i++) {
festivalPass.createMemorabiliaCollection(
string(abi.encodePacked("SPAM_", Strings.toString(i))),
"ipfs://malicious/",
1, // priceInBeat
type(uint256).max, // extreme max supply
true // auto activate
);
}

Recommended Mitigation

In implementation:

  • ✅ Impose a cap on total collections (e.g., max 100 or governance-adjustable)

  • ✅ Enforce maxSupply < reasonableLimit (e.g., 10,000 max per collection)

  • ✅ Prevent duplicate baseUri or collection name

  • ✅ Validate that collectionId will not overflow when encoded in token ID using (collectionId << 128) + itemId

- remove this code
+ add this code
Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.