Missing Zero Address Validation in `setFestivalContract()` Can Cause Permanent DoS
Root + Impact
Description
-
The `setFestivalContract()` function lacks validation to ensure the provided address is not the zero address. If the owner accidentally or maliciously sets `festivalContract` to `address(0)`, all token minting and burning operations will permanently fail, rendering the contract unusable.
The normal behavior should validate that the festival contract address is a valid non-zero address before setting it. However, the current implementation only checks that the festival contract hasn't been set before, but doesn't validate the address itself.
```solidity
function setFestivalContract(address _festival) external onlyOwner {
require(festivalContract == address(0), "Festival contract already set");
festivalContract = _festival; // @> No zero address validation
}
function mint(address to, uint256 amount) external {
require(msg.sender == festivalContract, "Only_Festival_Mint"); // @> Will fail if festivalContract is address(0)
_mint(to, amount);
}
```
Risk
Likelihood:
-
* Owner can call `setFestivalContract()` with `address(0)` either accidentally or maliciously
* No validation prevents setting zero address
* The function can only be called once, making the mistake permanent
Impact:
-
I* Permanent denial of service - all `mint()` and `burnFrom()` calls will fail
* Contract becomes completely unusable for its intended purpose
* No recovery mechanism exists once set incorrectly
* Users cannot earn or spend BEAT tokens
Proof of Concept
Recommended Mitigation
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.