Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

FestivalPass::createMemorabiliaCollection has no way of reactivating a MemorabiliaCollection when isActive is set to false, could render the collection useless forever

0xtory

Root + Impact

Description

The FestivalPass::createMemorabiliaCollection has no way of reactivating a Collection in cases where someone creates a MemorabiliaCollection and fails to set isActive in the Collection struct to true, this could render this collection unusable and nobody will be able to redeem this Collection, Someone could have an intention for reactivating this MemorabiliaCollection later on.

function createMemorabiliaCollection(

string memory name, string memory baseUri, uint256 priceInBeat, uint256 maxSupply, bool activateNow)

external

onlyOrganizer

returns (uint256)

{

require(priceInBeat > 0, "Price must be greater than 0");

require(maxSupply > 0, "Supply must be at least 1");

require(bytes(name).length > 0, "Name required");

require(bytes(baseUri).length > 0, "URI required");

uint256 collectionId = nextCollectionId++;

collections[collectionId] = MemorabiliaCollection({

name: name,

baseUri: baseUri,

priceInBeat: priceInBeat,

maxSupply: maxSupply,

currentItemId: 1, // Start item IDs at 1

@> isActive: activateNow

});

emit CollectionCreated(collectionId, name, maxSupply);

return collectionId;

}

Risk

Likelihood:

When someone has an intention to activate the collection at a later date after creating, there won't be a way to reactivate and redeem this collection

Impact:

The process of creating a collection and setting isActive to false would prevent interested People from redeeming this particular collection , It would be considered pointless to create a Collection without activating it

Proof of Concept

A user purchase a VIP pass set by the organizer and gets a bonus of 5e18 beat tokens

Organizer creates Collections with the intentions of activating later on but realises they cant do that

Users likes this collection created and tries to redeem it, but it reverts with Collection not active, He tries to inform the organizer but there is nothing they can do for that specific collection id

function testCantRedeeemMemorabiliaCollectionWhenInactive() public {

vm.startPrank(organizer);

festivalPass.configurePass(1, VIP_PRICE, 1);

uint256 collectionId = festivalPass.createMemorabiliaCollection("Test", "ipfs://test", 5e18, 10, false);

vm.stopPrank();

vm.startPrank(user1);

festivalPass.buyPass{value: VIP_PRICE}(1);

festivalPass.redeemMemorabilia(collectionId);

vm.stopPrank();

}

Results:

Failing tests:

Encountered 1 failing test in test/FestivalPass.t.sol:FestivalPassTest

[FAIL: Collection not active] testCantRedeeemMemorabiliaCollectionWhenInactive() (gas: 215215)

Recommended Mitigation

The protocol should include a way to update isActive status for every Memorabilia Collection Created or Set isActive to true by default to prevent creating unusable Collections

Option 1:

function createMemorabiliaCollection(

string memory name,

string memory baseUri,

uint256 priceInBeat,

uint256 maxSupply,

bool activateNow

) external onlyOrganizer returns (uint256) {

require(priceInBeat > 0, "Price must be greater than 0");

require(maxSupply > 0, "Supply must be at least 1");

require(bytes(name).length > 0, "Name required");

require(bytes(baseUri).length > 0, "URI required");

uint256 collectionId = nextCollectionId++;

collections[collectionId] = MemorabiliaCollection({

name: name,

baseUri: baseUri,

priceInBeat: priceInBeat,

maxSupply: maxSupply,

currentItemId: 1, // Start item IDs at 1

-- isActive: activateNow

++ isActive: true

});

emit CollectionCreated(collectionId, name, maxSupply);

return collectionId;

}

Option 2: Include an UpdateCollection Function

function updateMemorabiliaCollection(uint256 collectionId, bool activateNow) external onlyOrganizer {

++ collections[collectionId].isActive = activateNow;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 29 days ago

Submission Judgement Published

Validated

Assigned finding tags:

createMemorabiliaCollection with isActive false for later usage - flow not properly implemented.

Low because an organizer can use it with active = true and organizer is trusted.

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.