Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Memorabilia Collection Can Be Permanently Deactivated

howiecht

Description

The createMemorabiliaCollection function allows the organizer to create new NFT collections for attendees to purchase with their BEAT tokens. The function includes a boolean parameter activateNow to control whether the collection is immediately available for redemption.
If a collection is created with activateNow set to false, it can never be activated. The isActive flag is set to false and there is no function to change this state, effectively making the collection permanently inert.

// src/FestivalPass.sol

function createMemorabiliaCollection(

string memory name,

string memory baseUri,

uint256 priceInBeat,

uint256 maxSupply,

bool activateNow

) external onlyOrganizer returns (uint256) {

//...

collections[collectionId] = MemorabiliaCollection({

name: name,

baseUri: baseUri,

priceInBeat: priceInBeat,

maxSupply: maxSupply,

currentItemId: 1, // Start item IDs at 1

@> isActive: activateNow // if created with false, it will never be active and redeemable

});

emit CollectionCreated(collectionId, name, maxSupply);

return collectionId;

}

Risk

Likelihood:

An organizer creates a collection for a future event or artist and sets activateNow to false, intending to activate it later.
An organizer makes a mistake during creation and sets activateNow to false accidentally.

Impact:

The memorabilia collection becomes permanently unusable, preventing any sales and leading to a loss of expected revenue for the organizer.
The effort and gas spent to create the collection are wasted.

Proof of Concept

function test_RedeemMemorabilia_CollectionNotActive() public {

vm.prank(organizer);

uint256 collectionId = festivalPass.createMemorabiliaCollection(

"Future Release",

"ipfs://QmFuture",

100e18,

10,

false // Not active

);

// organizer wants to start the sale, but there is no function to activate the collection.

// The `collections[collectionId].isActive` remains false.

vm.prank(user1);

vm.expectRevert("Collection not active");

festivalPass.redeemMemorabilia(collectionId);

}

Recommended Mitigation

// In FestivalPass.sol

+ // Activate a memorabilia collection

+ function activateMemorabiliaCollection(uint256 collectionId) external onlyOrganizer {

+ require(collections[collectionId].priceInBeat > 0, "Collection does not exist");

+ require(!collections[collectionId].isActive, "Collection already active");

+ collections[collectionId].isActive = true;

+ }

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

createMemorabiliaCollection with isActive false for later usage - flow not properly implemented.

Low because an organizer can use it with active = true and organizer is trusted.

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.