Beatland Festival
AI First Flight #4
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: medium
Invalid

Memorabilia collection `baseUri` cannot be updated after creation

lukamm

Memorabilia collection baseUri cannot be updated after creation

Description

The FestivalPass::createMemorabiliaCollection function sets the baseUri at creation time, but there is no function to update it afterward. If the metadata URI becomes invalid (e.g., IPFS pin expires, typo in URI, or metadata needs updating), the organizer has no way to fix it.

collections[collectionId] = MemorabiliaCollection({
name: name,
@> baseUri: baseUri, // No setter function exists
priceInBeat: priceInBeat,
maxSupply: maxSupply,
currentItemId: 1,
isActive: activateNow
});

Risk

Likelihood:

  • This will occur when metadata hosting changes, IPFS pins expire, or a typo is discovered in the URI after collection creation.

Impact:

  • Token metadata becomes permanently inaccessible or incorrect, degrading user experience and NFT value.

Proof of Concept

  1. Organizer creates collection with baseUri = "ipfs://QmWrongHash"

  2. Organizer discovers the typo but cannot update it

  3. All minted tokens return broken metadata URIs forever

function testBaseUriCannotBeUpdatedAfterCreation() public {
// Organizer creates collection with typo in baseUri
vm.prank(organizer);
uint256 collectionId = festivalPass.createMemorabiliaCollection(
"Limited Poster",
"ipfs://QmWrongHash", // Typo!
100e18,
50,
true
);
// Verify the wrong URI is set
(, string memory returnedUri,,,,) = festivalPass.collections(collectionId);
assertEq(returnedUri, "ipfs://QmWrongHash");
// No function exists to update baseUri
// festivalPass.setCollectionBaseUri(collectionId, "ipfs://QmCorrectHash"); // Would revert - function doesn't exist
// URI remains wrong forever - cannot be fixed
}

Recommended Mitigation

Add a setter function that allows the organizer to update the baseUri after creation. This enables fixing typos, migrating to new IPFS hashes, or updating metadata hosting without needing to recreate the entire collection.

+ function setCollectionBaseUri(uint256 collectionId, string memory newBaseUri) external onlyOrganizer {
+ require(collections[collectionId].priceInBeat > 0, "Collection does not exist");
+ require(bytes(newBaseUri).length > 0, "URI required");
+ collections[collectionId].baseUri = newBaseUri;
+ emit URI(newBaseUri, collectionId);
+ }
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 22 hours ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!