Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

`configurePass` Supply Reset: Bypassing `maxSupply`

jufel

Description:
Every time the organizer calls configurePass, the line
'passSupply[passId] = 0;'

resets the recorded supply back to zero, even if passes have already been sold. This lets the organizer (or anyone with the organizer role) “re-open” sales indefinitely, completely bypassing the passMaxSupply constraint.

Impact:
An attacker with the organizer role can mint unlimited passes (and their associated on-mint BEAT bonuses), ruining scarcity guarantees and undermining ticket economics.

Proof of Concept: Add the following test to the 'FestivalPass.t.sol' file:

function testConfigureResetsSupply() public {

// Initial configure: maxSupply = 1

vm.prank(organizer);

festivalPass.configurePass(1, GENERAL_PRICE, 1);

// user1 buys the one available pass

vm.prank(user1);

festivalPass.buyPass{value: GENERAL_PRICE}(1);

// user2 cannot buy—supply is exhausted

vm.prank(user2);

vm.expectRevert("Max supply reached");

festivalPass.buyPass{value: GENERAL_PRICE}(1);

// organizer re-configures the same pass → resets supply count

vm.prank(organizer);

festivalPass.configurePass(1, GENERAL_PRICE, 1);

// user2 can now buy again, despite the original maxSupply of 1

vm.prank(user2);

festivalPass.buyPass{value: GENERAL_PRICE}(1);

assertEq(festivalPass.balanceOf(user2, 1), 1);

}

Mitigation:
– Do not reset passSupply in configurePass. Initialize it only once, or split price and supply configuration into separate functions that don’t reset supply.
– Or add a flag so that configurePass can only be called before any sales.

Updates

Lead Judging Commences

inallhonesty Lead Judge 26 days ago

Submission Judgement Published

Validated

Assigned finding tags:

configurePass resets the current pass supply circumventing the max supply check

This is not acceptable as high because any attack vectors related to organizer trying to milk ETH from participants is voided by the fact that the organizer is trusted.

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.