Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: high

Invalid

`setFestivalContract` cannot be reused for other festivals

ant

Due to zero address checking applied on `setFestivalContract`, only one festival can be set and it will limit the whole flow to only one festival forever

Description

Describe the normal behavior in one or more sentences
Explain the specific issue or problem in one or more sentences

function setFestivalContract(address _festival) external onlyOwner {

require(festivalContract == address(0), "Festival contract already set");

festivalContract = _festival;

}

Risk

Likelihood:

After you set festival contract for the fist time you won't be able to set again so it has high likelihood

Impact:

Disrupt the whole flow from buying the Festival Pass, attending performance, and redeeming Memorabilia because BeatToken.sol can only apply its logic to one festival forever

Proof of Concept for `setFestivalContract` cannot be reused for other festivals

Overview: BaseToken.sol can only apply its logic to one festival forever

Actors:

Owner: Owner of the BeatToken.sol contract
Victim: Users buying the festival pass
Protocol: Provide a way for users to buy pass to earn BEAT

Working Test Case:

beatToken.setFestivalContract(firstFestivalContract));

// revert when setting to a new festival

vm.expectRevert();

beatToken.setFestivalContract(secondfestivalContract);

Recommended Mitigation

Introduce a new boolean e.g. bool isFestivalContractSetBefore to ensure the zero address checking only appies to the first time of calling setFestivalContract

function setFestivalContract(address _festival) external onlyOwner {

- require(festivalContract == address(0), "Festival contract already set"); //@audit cannot be reused for other festivals

+ require(!isFestivalContractSetBefore && festivalContract == address(0), "Festival contract already set");

+ isFestivalContractSetBefore = true;

festivalContract = _festival;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 25 days ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

Zero address check

Owner/admin is trusted / Zero address check - Informational

`setFestivalContract` only callable once

This is intended. It's done like that because the festival contract requires beat token's address and vice versa.

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.