Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Organizer Hijack Allows Over-Minting in FestivalPass

r4y4n3

Root + Impact

Description

The contract owner can arbitrarily change the organizer address at any time using the setOrganizer function. The new organizer immediately gains full control over all organizer-only functions, including configuring passes and increasing supply caps. This enables a malicious owner or compromised owner key to transfer organizer privileges to an attacker, who can then over-mint passes and break all supply guarantees.

// FestivalPass.sol

function setOrganizer(address _organizer) public onlyOwner {

@> organizer = _organizer;

}

Risk

Likelihood:

The owner can change the organizer at any time, for any reason, without delay or user notification.
This can occur if the owner is malicious, compromised, or pressured to rug-pull.

Impact:

The new organizer can immediately increase pass supply and sell unlimited passes, diluting all existing holders.
All trust in the pass system and project is lost, leading to financial and reputational damage.

Proof of Concept

If the owner changes the organizer to a malicious address, the new organizer can immediately call configurePass to increase the supply of any pass and sell unlimited passes. This breaks all supply guarantees and enables rug-pull scenarios.

function test_OrganizerCanBeHijacked() public {

// Owner changes organizer to attacker

festival.setOrganizer(attacker);

// Attacker now has full organizer privileges

vm.prank(attacker);

festival.configurePass(1, 0.1 ether, 1000); // Maliciously increase supply

// Attacker can now sell unlimited passes

vm.deal(user, 100 ether);

for (uint256 i = 0; i < 10; i++) {

vm.prank(user);

festival.buyPass{value: 0.1 ether}(1);

}

// Check that more than original cap were minted

assertGt(

festival.passSupply(1),

"Over-minting possible after organizer hijack"

);

}

Recommended Mitigation

To prevent organizer hijacking, make the organizer immutable after deployment by setting it only in the constructor and removing the setOrganizer function entirely. This ensures the organizer cannot be changed after deployment, eliminating the risk of privilege escalation or rug-pull via organizer replacement.

- // Remove this function entirely:

- function setOrganizer(address _organizer) public onlyOwner {

- organizer = _organizer;

- }

+ // Set organizer only once at deployment; make immutable

+ constructor(address _beatToken, address _organizer) ERC1155("ipfs://beatdrop/{id}") Ownable(msg.sender){

+ require(_organizer != address(0), "Organizer required");

+ organizer = _organizer;

+ beatToken = _beatToken;

+ }

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.