Beatland Festival
AI First Flight #4
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Permanently Inactive Collections Trap User BEAT Tokens

0xki

Root + Impact

Description

  • The createMemorabiliaCollection() function in FestivalPass.sol allows the organizer to create NFT collections with an activateNow parameter, and under normal operation, collections should either activate immediately or have a pathway to activation later, ensuring users can eventually redeem accumulated BEAT tokens for advertised memorabilia.

  • Collections created with activateNow = false have their isActive status permanently set to false with no subsequent function to modify it. The redeemMemorabilia() function strictly enforces active status, creating a permanent barrier where users accumulate BEAT tokens expecting future redemption opportunities that never materialize.


function createMemorabiliaCollection(
string memory name,
string memory baseUri,
uint256 priceInBeat,
uint256 maxSupply,
bool activateNow
) external onlyOrganizer returns (uint256) {
// ... validation ...
collections[collectionId] = MemorabiliaCollection({
// ... other fields ...
@> isActive: activateNow // No subsequent modification possible
});
// ...
}
function redeemMemorabilia(uint256 collectionId) external {
MemorabiliaCollection storage collection = collections[collectionId];
@> require(collection.isActive, "Collection not active"); // Permanent barrier for inactive collections
// ...
}

Risk

Likelihood:

  • The vulnerability manifests when organizers create collections with activateNow = false intending to activate them later, or when creating placeholder collections for future events without realizing the lack of activation functionality.

  • Human error in collection creation combined with absence of activation mechanisms makes this scenario likely during normal protocol operations.

Impact:

  • BEAT tokens lose value when major promised collections remain locked forever, and users cannot access advertised memorabilia despite holding sufficient token balances.

  • Protocol reputation suffers when "coming soon" collections never arrive and users discover their accumulated BEAT has diminished utility.

Proof of Concept

N/A

Recommended Mitigation

Add an activation function to enable organizers to activate previously inactive collections.

+ function activateCollection(uint256 collectionId) external onlyOrganizer {
+ require(collections[collectionId].priceInBeat > 0, "Collection does not exist");
+ require(!collections[collectionId].isActive, "Already active");
+ collections[collectionId].isActive = true;
+ emit CollectionActivated(collectionId);
+ }
+
+ event CollectionActivated(uint256 indexed collectionId);
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 20 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[L-01] Inactive Collections — Indefinite BEAT Lock-up

# Inactive Collections — Indefinite BEAT Lock-up ## Description * Normal behaviour: Organizer creates memorabilia collections with `activateNow = true` so users can immediately redeem BEAT for NFTs. * Issue: Collections can be created with `activateNow = false` and there is **no mechanism** to activate them later, nor any timeout. Users may acquire BEAT expecting to redeem specific memorabilia, but the organizer can indefinitely prevent access. ```solidity function createMemorabiliaCollection(..., bool activateNow) external onlyOrganizer { // ... validation ... @> collections[collectionId] = MemorabiliaCollection({ // ... isActive: activateNow // Can be false forever }); } function redeemMemorabilia(uint256 collectionId) external { @> require(collection.isActive, "Collection not active"); // Permanent block // ... } ``` ## Risk **Likelihood**: * Organizer may create collections in advance but forget to activate. * Intentional strategy to create hype then indefinitely delay launch. **Impact**: * Users hold BEAT tokens anticipating memorabilia that never becomes available. * Economic utility of BEAT reduced if major collections remain locked. ## Proof of Concept ```solidity function test_CollectionNeverActivated() public { // Alice gets BEAT tokens vm.prank(alice); festivalPass.buyPass{value: 0.1 ether}(VIP_PASS); // gets 5 BEAT bonus // Organizer creates inactive collection vm.prank(organizer); uint256 collectionId = festivalPass.createMemorabiliaCollection( "Limited Edition", "ipfs://limited", 3e18, 100, false // NOT activated ); // Alice tries to redeem but can't vm.prank(alice); vm.expectRevert("Collection not active"); festivalPass.redeemMemorabilia(collectionId); // Time passes, organizer chooses not to activate vm.warp(block.timestamp + 365 days); // Alice still can't redeem - funds effectively locked vm.prank(alice); vm.expectRevert("Collection not active"); festivalPass.redeemMemorabilia(collectionId); assertEq(beatToken.balanceOf(alice), 5e18, "Alice holds 'useless' BEAT"); } ``` ## Recommended Mitigation ```diff + mapping(uint256 => bool) public collectionActivated; + function activateCollection(uint256 collectionId) external onlyOrganizer { + require(collections[collectionId].priceInBeat > 0, "Collection does not exist"); + collections[collectionId].isActive = true; + collectionActivated[collectionId] = true; + } // Or add automatic timeout: + uint256 constant ACTIVATION_DEADLINE = 30 days; + mapping(uint256 => uint256) public collectionCreatedAt; function createMemorabiliaCollection(...) external onlyOrganizer { // ... + collectionCreatedAt[collectionId] = block.timestamp; } function redeemMemorabilia(uint256 collectionId) external { MemorabiliaCollection storage collection = collections[collectionId]; + bool autoActive = block.timestamp >= collectionCreatedAt[collectionId] + ACTIVATION_DEADLINE; + require(collection.isActive || autoActive, "Collection not active"); // ... } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!