Beatland Festival

AI First Flight #4

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: medium

Invalid

No zero address check for festival contract

diasfusuy

BeatToken.sol::setFestivalContract is missing a zero check

Description

The setFestivalContract function allows the owner to set the festivalContract address that is authorized to mint and burn tokens. This address is critical because it controls token supply modification.

However, the function does not validate that the provided _festival address is non-zero. As a result, the owner can mistakenly set the festivalContract to address(0).
Both mint and burnFrom will become permanently unusable, since no address can satisfy the msg.sender == festivalContract requirement. This would effectively disable token minting and burning functionality.

>@ BeatToken.sol::setFestivalContract

>@ festivalContract = _festival;

Risk

Likelihood:

Owner configuration mistakes are common during deployment.
There is no safeguard preventing the accidental assignment of address(0)

Impact:

Token minting and burning functionality become permanently inaccessible

Proof of Concept

The following test demonstrates that after setting festivalContract to address(0), any attempt to mint tokens reverts with Only_Festival_Mint, confirming that the contract enters an unusable state.

function testZeroAddress_setFestivalContract() public {

beatToken.setFestivalContract(address(0));

assertEq(beatToken.festivalContract(), address(0));

vm.prank(festivalContract);

vm.expectRevert("Only_Festival_Mint");

beatToken.mint(user, 100);

}

Recommended Mitigation

To prevent accidental misconfiguration, the function should validate that the provided _festival address is not the zero address before assigning it to festivalcontract.

Adding a zero-check ensures that the authorization condition remains satisfiable and prevents the contract from entering a permanently unusable state.

function setFestivalContract(address _festival) external onlyOwner {

+ require(_festival != address(0), "Cannot set to zero address");

require(festivalContract == address(0), "Festival contract already set");

festivalContract = _festival;

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!