Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Access Control Vulnerability

sageceo

Lack of Access Control on setOrganizer Function every one could chose an organizer

Issue: Missing onlyOwner Modifier

Description:

The setOrganizer function lacks proper access control, allowing any external address to call it and arbitrarily change the contract's organizer. This is a critical security flaw when the organizer has special privileges or controls important logic in the contract.

// function setOrganizer(address _organizer) external;

// @audit missing access control (no onlyOwner or equivalent restriction)

Risk

Reason 1 // Unrestricted Access: Anyone can call the setOrganizer function, potentially replacing the legitimate organizer.
Reason 2 // This could lead to denial of service, misdirection of funds, or abuse of logic tied to the organizer role.

Impact - H:

Impact 1 // Assign themselves as organizer.
Impact 2 // Disrupt normal protocol operations.

Proof of Concept

// Attacker calls setOrganizer from an EOA

setOrganizer(attackerAddress);

// Attacker now controls any logic gated by `organizer` variable

contract.doOrganizerOnlyAction(); // executes successfully

Anyone can call setOrganizer since it is marked external and lacks any restrictions.

// An attacker deploys a script or manually calls the function:

eventContract.setOrganizer(attackerAddress);

// Now, the attacker becomes the organizer and can call privileged functions like approveEvent, cancelEvent, or even withdrawFunds if // tied to that role.

eventContract.approveEvent(fakeEventId); // passes the require() check

// This bypasses any intended permission model, effectively giving full control of the organizer role to an untrusted party.

Recommended Mitigation:

Consider using OpenZeppelin's AccessControl for fine-grained permission management.

- function setOrganizer(address _organizer) external;

+ function setOrganizer(address _organizer) external onlyOwner;

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.