Beatland Festival
AI First Flight #4
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

redeemMemorabilia() off-by-one error prevents the last item in every collection from being redeemed

virgilbb

Root + Impact

Description

  • redeemMemorabilia lets users burn BeatTokens to mint a memorabilia NFT, with currentItemId tracking how many have been issued and maxSupply capping the collection size.

  • Because currentItemId is initialised to 1 (not 0) but the guard uses a strict-less-than comparison (< maxSupply), the check fails when currentItemId == maxSupply, leaving the final slot permanently unredeemable despite the collection not being sold out.

function redeemMemorabilia(uint256 collectionId) external {
MemorabiliaCollection storage collection = collections[collectionId];
require(collection.priceInBeat > 0, "Collection does not exist");
require(collection.isActive, "Collection not active");
// @> currentItemId starts at 1; when it equals maxSupply the last item is unreachable
require(collection.currentItemId < collection.maxSupply, "Collection sold out");
BeatToken(beatToken).burnFrom(msg.sender, collection.priceInBeat);
// @> post-increment: first call assigns itemId=1, ..., last reachable call assigns itemId=maxSupply-1
uint256 itemId = collection.currentItemId++;
_mint(msg.sender, itemId, 1, "");
}

Risk

Likelihood:

  • This is a code-level invariant that fires on every collection once maxSupply - 1 items have been minted; it affects 100% of collections and is completely deterministic.

Impact:

  • One memorabilia item per collection is forever unclaimable, causing the last buyer to be denied despite paying BeatTokens and the organizer to under-deliver on advertised collection sizes.

Proof of Concept

With maxSupply = 3 and currentItemId starting at 1, only items 1 and 2 can be minted; the third call reverts with "Collection sold out" even though only 2 of 3 items were issued.

function test_lastItemNeverRedeemable() public {
uint256 collectionId = 1;
uint256 maxSupply = 3;
uint256 price = 10e18;
vm.prank(organizer);
festivalPass.createMemorabiliaCollection(collectionId, maxSupply, price);
for (uint256 i; i < maxSupply - 1; i++) {
address buyer = address(uint160(i + 1));
deal(address(beatToken), buyer, price);
vm.prank(buyer);
beatToken.approve(address(festivalPass), price);
vm.prank(buyer);
festivalPass.redeemMemorabilia(collectionId); // items 1 and 2 succeed
}
// Third buyer — should succeed for a maxSupply-3 collection
address lastBuyer = address(uint160(99));
deal(address(beatToken), lastBuyer, price);
vm.prank(lastBuyer);
beatToken.approve(address(festivalPass), price);
vm.prank(lastBuyer);
vm.expectRevert("Collection sold out");
festivalPass.redeemMemorabilia(collectionId); // reverts — last item unreachable
}

The test confirms the final item cannot be redeemed even when supply remains.

Recommended Mitigation

Either initialise currentItemId to 0 and keep the < guard, or change the guard to <= while keeping the initialisation at 1.

- require(collection.currentItemId < collection.maxSupply, "Collection sold out");
+ require(collection.currentItemId <= collection.maxSupply, "Collection sold out");
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[M-03] Off-by-One in `redeemMemorabilia` Prevents Last NFT From Being Redeemed

# Off-by-One in `redeemMemorabilia` Prevents Last NFT From Being Redeemed ## Description * The `createMemorabiliaCollection` function allows an organizer to create an NFT collection that can be exchanged for the BEAT token via the `redeemMemorabilia` function by users. * The `redeemMemorabilia` function checks if `collection.currentItemId` is less than `collection.maxSupply`. However, the `currentItemId` starts with 1 in the `createMemorabiliaCollection` function. This prevents the final item (where `currentItemId` equals `maxSupply`) from being redeemed. ```Solidity function createMemorabiliaCollection( string memory name, string memory baseUri, uint256 priceInBeat, uint256 maxSupply, bool activateNow ) external onlyOrganizer returns (uint256) { require(priceInBeat > 0, "Price must be greater than 0"); require(maxSupply > 0, "Supply must be at least 1"); require(bytes(name).length > 0, "Name required"); require(bytes(baseUri).length > 0, "URI required"); uint256 collectionId = nextCollectionId++; collections[collectionId] = MemorabiliaCollection({ name: name, baseUri: baseUri, priceInBeat: priceInBeat, maxSupply: maxSupply, @> currentItemId: 1, // Start item IDs at 1 isActive: activateNow }); emit CollectionCreated(collectionId, name, maxSupply); return collectionId; } function redeemMemorabilia(uint256 collectionId) external { MemorabiliaCollection storage collection = collections[collectionId]; require(collection.priceInBeat > 0, "Collection does not exist"); require(collection.isActive, "Collection not active"); @> require(collection.currentItemId < collection.maxSupply, "Collection sold out"); // Burn BEAT tokens BeatToken(beatToken).burnFrom(msg.sender, collection.priceInBeat); // Generate unique token ID uint256 itemId = collection.currentItemId++; uint256 tokenId = encodeTokenId(collectionId, itemId); // Store edition number tokenIdToEdition[tokenId] = itemId; // Mint the unique NFT _mint(msg.sender, tokenId, 1, ""); emit MemorabiliaRedeemed(msg.sender, tokenId, collectionId, itemId); } ``` ## Risk **Likelihood**: * A legitimate user calls `redeemMemorabilia` attempting to redeem the last NFT in a collection. **Impact**: * The user fails to get the NFT, even though the redemption counter has not reached the maximum supply of the collection. ## Proof of Concept The following test shows a user trying to redeem the 10th NFT in one collection. Running `forge test --mt test_Audit_RedeemMaxSupply -vv` shows the output that the 10th redemption is reverted due to the sold out. ```Solidity function test_Audit_RedeemMaxSupply() public { vm.prank(organizer); uint256 maxSupply = 10; // Cap for memorabilia NFT collection uint256 collectionId = festivalPass.createMemorabiliaCollection( "Future Release", "ipfs://QmFuture", 10e18, maxSupply, true ); vm.startPrank(address(festivalPass)); beatToken.mint(user1, 10000e18); // Give enough BEAT for user vm.stopPrank(); vm.startPrank(user1); for (uint256 i = 0; i < maxSupply - 1; i++) { festivalPass.redeemMemorabilia(collectionId); console.log("Redeem sucess:", i + 1); // Redeem success from 1 to 9 } // 10th redeem call reverts with "Collection Sold out" vm.expectRevert("Collection sold out"); festivalPass.redeemMemorabilia(collectionId); console.log("Redeem reverted:", maxSupply); vm.stopPrank(); } ``` ## Recommended Mitigation Modify the supply check in `redeemMemorabilia` to use `<=` (less than or equal to) instead of `<`, ensuring that the final item can be redeemed. This approach is preferable to modifying the `createMemorabiliaCollection` function (which is clearly documented to start `currentItemId` at 1). ```diff // Redeem a memorabilia NFT from a collection function redeemMemorabilia(uint256 collectionId) external { MemorabiliaCollection storage collection = collections[collectionId]; require(collection.priceInBeat > 0, "Collection does not exist"); require(collection.isActive, "Collection not active"); - require(collection.currentItemId < collection.maxSupply, "Collection sold out"); + require(collection.currentItemId <= collection.maxSupply, "Collection sold out"); // allow equals // Burn BEAT tokens BeatToken(beatToken).burnFrom(msg.sender, collection.priceInBeat); // Generate unique token ID uint256 itemId = collection.currentItemId++; uint256 tokenId = encodeTokenId(collectionId, itemId); // Store edition number tokenIdToEdition[tokenId] = itemId; // Mint the unique NFT _mint(msg.sender, tokenId, 1, ""); emit MemorabiliaRedeemed(msg.sender, tokenId, collectionId, itemId); } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!