Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: medium

Invalid

Unsafe ERC20 Operation

cybernerd

Free NFTs without paying required BEAT tokens

Description

The redeemMemorabilia() function calls burnFrom() directly on the BEAT token without validating the result:

BeatToken(beatToken).burnFrom(msg.sender, collection.priceInBeat);

Risk

This assumes the token:

Correctly burns tokens
Reverts on failure
Or always returns true on success

However, not all ERC20 tokens follow the same standard strictly. Some tokens:

Return false instead of reverting
Return nothing at all (e.g., USDT)
Fail silently (no revert, no error)

This leads to a false success assumption, allowing the contract to continue execution even if tokens were not burned.

Impact:

If the token transfer/burn silently fails:
- The user receives an NFT without spending BEAT tokens
- An attacker can exploit this to mint unlimited NFTs for free
- This breaks the economic security of the memorabilia redemption logic

Proof of Concept

Create a fake BEAT token that overrides burnFrom() like this:

function burnFrom(address, uint256) external override {

// do nothing (simulate silent failure)

}

Call redeemMemorabilia() from an EOA or contract:

myNFT.redeemMemorabilia(0); // You get an NFT without paying BEAT

NFT gets minted because no check was made on burnFrom()’s result.

Recommended Mitigation

Use OpenZeppelin's SafeERC20 wrapper to ensure safe token interactions:

import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

using SafeERC20 for IERC20;

IERC20(beatToken).safeTransferFrom(msg.sender, address(this), amount);

beatToken.burn(amount); // or call an internal burn that follows safety

//if burnFrom is part of a custom interface, wrap it safely or use a pre-check allowance + safeTransferFrom.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.