Submission Details
Severity:
Off-by-One in `redeemMemorabilia`: Under-Minting & Unmintable Collections
Description:
In redeemMemorabilia, the check
require(collection.currentItemId < collection.maxSupply, "Collection sold out");
is off by one. Since currentItemId starts at 1, a collection with maxSupply = N only ever mints N−1 items—and if maxSupply = 1 it mints 0 items.
Impact:
Organizers and collectors cannot mint the full intended supply. In the worst case (maxSupply = 1), no memorabilia can ever be redeemed.
Proof of Concept: Add the following test to the 'FestivalPass.t.sol' file:
function testRedeemMaxSupplyTwoOnlyMintsOne() public {
// Create collection with maxSupply = 2
vm.prank(organizer);
uint256 col = festivalPass.createMemorabiliaCollection("Col1", "ipfs://1", 1e18, 2, true);
// Give user tokens
vm.prank(address(festivalPass));
beatToken.mint(user1, 1000e18);
// User redeems once → works
vm.prank(user1);
festivalPass.redeemMemorabilia(col);
// Second redeem should also work, but reverts instead
vm.prank(user1);
vm.expectRevert("Collection sold out");
festivalPass.redeemMemorabilia(col);
}
Mitigation:
Change the supply check to allow exactly maxSupply items, e.g.:
- require(collection.currentItemId < collection.maxSupply, "Collection sold out");
+ require(collection.currentItemId <= collection.maxSupply, "Collection sold out");
— or better, start currentItemId at 0 and use < maxSupply, then increment after mint.
Updates
Lead Judging Commences
inallhonesty 26 days ago
Submission Judgement Published Assigned finding tags:
Off by one error in redeemMemorabilia
Rewards breakdown
nSLOC
234This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.