Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

M03. Irreversible Inactive State for Memorabilia Collections

accessdenied

Root + Impact

Description

Normally, when a new memorabilia collection is created using createMemorabiliaCollection, the collection can be activated immediately via the activateNow boolean. Once active, users can redeem memorabilia items using BEAT tokens.
However, if the collection is created with activateNow = false, the collection is permanently inactive due to the absence of a function to later activate it. This results in a functional deadlock — the collection exists on-chain but cannot be used or interacted with meaningfully.

function createMemorabiliaCollection(

...

bool activateNow

) external onlyOrganizer returns (uint256) {

...

collections[collectionId] = MemorabiliaCollection({

...

@> isActive: activateNow

});

...

}

Risk

Likelihood:

Organizers may choose to delay activation (for planning or sequencing) and call the function with activateNow = false.
There is no mechanism to update the isActive flag afterward, which is not intuitive.

Impact:

The collection becomes permanently inactive, leading to a non-functional or inaccessible NFT collection.
This results in wasted storage, blocked token issuance, and may affect user or organizer trust if collections appear "broken".

Proof of Concept

// Organizer creates a collection that is inactive

festivalPass.createMemorabiliaCollection("Test", "ipfs://abc", 10e18, 100, false);

// Attempting to redeem from this collection will always fail:

festivalPass.redeemMemorabilia(collectionId);

// => reverts with "Collection not active"

Explanation: There is no available function to toggle isActive to true after creation, so any call to redeemMemorabilia() will fail indefinitely.

Recommended Mitigation

+ function activateCollection(uint256 collectionId) external onlyOrganizer {

+ require(collections[collectionId].priceInBeat > 0, "Collection does not exist");

+ collections[collectionId].isActive = true;

+ }

Add a simple function such as activateCollection() that allows the organizer to mark a previously created collection as active. This preserves flexibility without breaking the contract's existing logic. Optionally, a deactivateCollection() function can also be added for symmetric control.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

createMemorabiliaCollection with isActive false for later usage - flow not properly implemented.

Low because an organizer can use it with active = true and organizer is trusted.

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.