Beatland Festival
First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Hardcoded URI in ERC1155 Constructor Prevents Dynamic Metadata Updates

gurmeetkalyan

Root + Impact

Description

The contract hardcodes the metadata URI in the ERC1155 constructor. This value cannot be changed post-deployment.

constructor(address _organizer, address _usdc, address _usdt, address _venue)
ERC1155("ipfs://QmSt2DQTxLB7pyy6bqzABhVL2oNYikfqXPznTjfd3fwXx6") {
...
}

This locks the metadata and disables flexibility for future updates, design upgrades, or changes in IPFS pinning strategy.

Risk

Likelihood:

Happens at deployment and affects the entire lifecycle of the NFT system.

If the IPFS hash is incorrect, taken down, or contains wrong metadata, you cannot fix it.

Impact:

Metadata becomes stale, inaccessible, or incorrect, damaging user trust and utility.

No room for future upgrades (e.g. migrating to HTTPS or newer decentralized storage formats).

Loss of flexibility means any error in the URI hash would render NFTs broken or unverified.

Proof of Concept

// No function in FestivalPass allows you to update the URI
FestivalPass.tokenURI(1);
// returns static hardcoded IPFS hash set in constructor
// any error in this hash = permanent NFT metadata failure

Recommended Mitigation

- ERC1155("ipfs://QmSt2DQTxLB7pyy6bqzABhVL2oNYikfqXPznTjfd3fwXx6")
+ ERC1155("")

Add a setURI(string calldata newUri) function controlled by the organizer/owner:

function setURI(string calldata newUri) external onlyOwner {
_setURI(newUri);
}

Use OpenZeppelin’s URI update pattern, possibly gated by Ownable or AccessControl.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.