Missing Zero Address Validation in `setOrganizer()` Can Cause Permanent DoS
Root + Impact
Description
-
The `setOrganizer()` function lacks validation to ensure the provided address is not the zero address. If the owner sets `organizer` to `address(0)`, all organizer-only functions (creating performances, configuring passes, creating memorabilia collections) will permanently fail, effectively locking critical contract functionality.
The normal behavior should validate that the organizer address is a valid non-zero address. However, the current implementation accepts any address including the zero address.
```solidity
function setOrganizer(address _organizer) public onlyOwner {
organizer = _organizer; // @> No zero address validation
}
function createPerformance(...) external onlyOrganizer {
require(msg.sender == organizer, "Only organizer can call this"); // @> Will fail if organizer is address(0)
// ...
}
```
Risk
Likelihood:
-
* Owner can call `setOrganizer()` with `address(0)` either accidentally or maliciously
* No validation prevents setting zero address
* The function can be called multiple times, but once set to zero, organizer functions are permanently disabled
Impact:
-
* Permanent denial of service for all organizer functions
* Cannot create performances, configure passes, or create memorabilia collections
* Contract functionality severely limited
* No recovery mechanism if owner account is compromised
Proof of Concept
Recommended Mitigation
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.