Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

No Mechanism to Activate Memorabilia Collection After Creation Results In Unusable Collections

romans

Root + Impact: No Mechanism to Activate Memorabilia Collection After Creation Results In Unusable Collections

Description

The FestivalPass contract allows the organizer to create memorabilia collections with a boolean isActive parameter that determines whether users can redeem NFTs from the collection by burning BEAT tokens.
There is no function to toggle or set isActive to true after a collection is created with isActive set to false, preventing users from redeeming NFTs from such collections.

// Root cause in FestivalPass.sol

function createMemorabiliaCollection(

string memory name,

string memory baseUri,

uint256 priceInBeat,

uint256 maxSupply,

bool activateNow

) external onlyOrganizer returns (uint256) {

require(priceInBeat > 0, "Price must be greater than 0");

require(maxSupply > 0, "Supply must be at least 1");

require(bytes(name).length > 0, "Name required");

require(bytes(baseUri).length > 0, "URI required");

uint256 collectionId = nextCollectionId++;

@> collections[collectionId] = MemorabiliaCollection({

name: name,

baseUri: baseUri,

priceInBeat: priceInBeat,

maxSupply: maxSupply,

currentItemId: 1,

isActive: activateNow

});

emit CollectionCreated(collectionId, name, maxSupply);

return collectionId;

}

Risk

Likelihood:

Always affects collections intentionally created as inactive, as the contract lacks any mechanism to activate them later.

Impact:

Users cannot redeem NFTs from inactive collections, rendering the collection unusable and potentially locking the utility of their BEAT tokens if no other active collections exist.
Organizers cannot correct or update the activation status of a collection, limiting the flexibility of the festival’s memorabilia system.

Proof of Concept

Run forge test --mt test_RedeemMemorabilia_CollectionNotActive command, observe that the test passes, user is unable to redeem items from inactive collection and there is no way to activate the collection after it is created.

Recommended Mitigation

Add the following code to src/FestivalPass.sol:

+ // Add function to toggle collection activation status

+ function toggleCollectionActive(uint256 collectionId, bool isActive) external onlyOrganizer {

+ require(collections[collectionId].priceInBeat > 0, "Collection does not exist");

+ collections[collectionId].isActive = isActive;

+ emit CollectionActivationToggled(collectionId, isActive);

+ }

+ // Add event for activation status changes

+ event CollectionActivationToggled(uint256 indexed collectionId, bool isActive);

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

createMemorabiliaCollection with isActive false for later usage - flow not properly implemented.

Low because an organizer can use it with active = true and organizer is trusted.

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.