Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Unlimited Token Minting by Festival Contract May Cause Denial-of-Service (DoS).

sharmarahul991073

The contract allows unlimited zero-value and repeated minting by the festivalContract, which can lead to gas DoS, total supply inflation, log bloating, and abuse if the festivalContract is ever compromised or misused.

Description

The contract allows the festivalContract to call the mint() function without any restriction on how many times it can mint or how much it can mint per call.

This means the authorized festivalContract can:

Call mint(to, 1) in a loop (e.g., 10,000+ times).
Inflate the total supply arbitrarily.
Potentially exhaust block gas limits, causing DoS for other operations depending on token transfers, especially in multi-token logic.

function mint(address to, uint256 amount) external { //@ anyone can call this function many time without any restrictions.

require(msg.sender == festivalContract, "Only_Festival_Mint");

_mint(to, amount);

}

Risk

Denial of Service (DoS) via Unbounded Minting

If the festivalContract is misconfigured, compromised, or intentionally misused, it can mint tokens in a loop, leading to:

💸 Gas exhaustion in other functions (e.g., transfer, totalSupply, or anything iterating over holders).

Likelihood:

Impact:

Repeated small mints (e.g., 1 token per call) consume excessive gas, especially if automated in a loop. This can prevent other important transactions from fitting into the block.
Thousands of small Transfer events (each mint() emits one) flood off-chain systems, causing delays or crashes in analytics tools or frontend dashboards.

Proof of Concept

This test check that 10000 time this function can be call by the user and this cost more gas then expection.

function test_AnyoneCanMintTokenManyTime() public {

beatToken.setFestivalContract(festivalContract);

vm.startPrank(festivalContract);

for (uint256 i = 0; i < 10000; i++) {

beatToken.mint(user, 1);

}

vm.stopPrank();

assertEq(beatToken.balanceOf(user), 10000, "User should have 10000 tokens after minting 20 times");

assertEq(beatToken.totalSupply(), 10000, "Total supply should be 10000 after minting 20 tokens");

}

Recommended Mitigation

Add require statement in mint function.This check amount greater than zero or less tham max_mint or amount lie between 0 to max_mint.

+ require(amount > 0 && amount <= MAX_MINT_PER_CALL, "Invalid mint amount");

function mint(address to, uint256 amount) external {

require(msg.sender == festivalContract, "Only_Festival_Mint");

totalFestivalMints += amount;

require(totalFestivalMints <= MAX_SUPPLY, "Exceeds allowed supply");

_mint(to, amount);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 27 days ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.