Beatland Festival
AI First Flight #4
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: low
Invalid

FestivalPass::setOrganizer` missing zero address check can permanently disable organizer functions

lukamm

FestivalPass::setOrganizer missing zero address check can permanently disable organizer functions

Description

The FestivalPass::setOrganizer function allows the owner to update the organizer address but does not validate that the new address is not address(0). If the owner accidentally sets the organizer to the zero address, it will cause a DoS for onlyOrganizer functions.

function setOrganizer(address _organizer) public onlyOwner {
@> organizer = _organizer; // No zero address validation
}
modifier onlyOrganizer() {
require(msg.sender == organizer, "Only organizer can call this");
_;
}

Risk

Likelihood:

  • This will occur when the owner makes an input error and passes address(0) when calling setOrganizer.

Impact:

  • All onlyOrganizer functions become unusable until setOrganizer is called again to fix it:

    • configurePass - cannot set pass prices/supply

    • createPerformance - cannot create new performances

    • createMemorabiliaCollection - cannot create new collections

  • The festival becomes non-functional if this happens before initial configuration.

Proof of Concept

  1. Owner calls setOrganizer(address(0)) by mistake

  2. All organizer functions now revert since msg.sender can never equal address(0)

  3. Festival operations are permanently halted

Add the following test to your FestivalPass.t.sol file:

function testSetOrganizerToZeroAddressBreaksFunctionality() public {
// Owner accidentally sets organizer to zero address
vm.prank(owner);
festivalPass.setOrganizer(address(0));
// Verify organizer is now zero address
assertEq(festivalPass.organizer(), address(0));
// All organizer functions now fail
vm.prank(owner); // Even owner can't act as organizer
vm.expectRevert("Only organizer can call this");
festivalPass.configurePass(1, 0.1 ether, 100);
vm.expectRevert("Only organizer can call this");
festivalPass.createPerformance(block.timestamp + 1 hours, 2 hours, 10e18);
vm.expectRevert("Only organizer can call this");
festivalPass.createMemorabiliaCollection("Test", "ipfs://test", 10e18, 100, true);
}

Recommended Mitigation

Add a zero address check to setOrganizer:

function setOrganizer(address _organizer) public onlyOwner {
+ require(_organizer != address(0), "Invalid organizer address");
organizer = _organizer;
+ emit OrganizerUpdated(_organizer);
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 22 hours ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!