Submission Details
Impact:
Likelihood:
Incorrect Return Value in `FestivalPass::createPerformance`
Description
`FestivalPass::createPerformance` function is defined as:
```javascript
function createPerformance(
uint256 startTime,
uint256 duration,
uint256 reward
) external onlyOrganizer returns (uint256) {
require(startTime > block.timestamp, "Start time must be in the future");
require(duration > 0, "Duration must be greater than 0");
performances[performanceCount] = Performance({
startTime: startTime,
endTime: startTime + duration,
baseReward: reward
});
emit PerformanceCreated(performanceCount, startTime, startTime + duration);
return performanceCount++;
}
```
Here, performanceCount is returned after using the post-increment operator performanceCount++, which means the next ID is returned instead of the actual ID that was just created.
-> This results in an off-by-one logic bug:
- The function creates performance ID N, But returns N + 1.
Risk
Impact:
Off-by-one error can cause external contracts or frontends to reference the wrong performance
Proof of Concept
```javascript
uint256 id = festivalPass.createPerformance(block.timestamp + 3600, 2 hours, 10e18);
// This returns `1`
// But actual performance created is `performance[0]`
Performance memory wrongPerf = festivalPass.performances(id); // empty struct
```
Recommended Mitigation
```diff
emit PerformanceCreated(performanceCount, startTime, startTime + duration);
- return performanceCount++;
+ uint256 newId = performanceCount;
+ performanceCount++;
+ return newId;
}
```
Rewards breakdown
nSLOC
234This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.