Beatland Festival

AI First Flight #4

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

configurePass resets passSupply to 0 allowing maxSupply bypass

r0p

Title: configurePass resets passSupply to 0 allowing maxSupply bypass
Severity: Medium
Impact: Total passes minted exceeds declared maxSupply after any reconfiguration.
Likelihood: Medium — requires organizer to reconfigure, but honest mistakes trigger it.
Reference Files: src/FestivalPass.sol:54-66

Description

configurePass unconditionally resets passSupply[passId] = 0, discarding the record of previously sold passes. After reconfiguration, buyPass allows minting up to the new maxSupply again, making the total circulating supply exceed the declared cap. The vulnerable code:

function configurePass(uint256 passId, uint256 price, uint256 maxSupply) external onlyOrganizer {

require(price > 0, "Price must be greater than 0");

require(maxSupply > 0, "Max supply must be greater than 0");

passPrice[passId] = price;

passMaxSupply[passId] = maxSupply;

passSupply[passId] = 0; // ← resets sold count to zero

}

If 50 GENERAL passes have been sold and the organizer reconfigures (e.g., to change price), the sold count resets to 0 — another 100 passes can be minted, totaling 150 against a max of 100.

Risk

Impact: Medium. The maxSupply cap becomes unenforceable across reconfigurations. Pass scarcity and economic value are undermined as more passes circulate than declared possible.
Likelihood: Medium. Requires organizer action, but honest reconfigurations (price changes, supply adjustments) trigger the bug unintentionally.
A festival with maxSupply=100 GENERAL passes could have 200+ circulating after two routine price adjustments, destroying the scarcity model for all pass holders.

Proof of Concept

function testSupplyResetBypassesMaxSupply() public {

vm.prank(organizer);

festivalPass.configurePass(1, 0.05 ether, 2); // maxSupply=2

// Sell both passes

vm.prank(user1); festivalPass.buyPass{value: 0.05 ether}(1);

vm.prank(user2); festivalPass.buyPass{value: 0.05 ether}(1);

// Supply at max — third purchase reverts

vm.prank(user3); vm.expectRevert("Max supply reached");

festivalPass.buyPass{value: 0.05 ether}(1);

// Organizer reconfigures — supply resets to 0!

vm.prank(organizer);

festivalPass.configurePass(1, 0.05 ether, 2);

// Now can mint another 2 passes despite maxSupply still being 2

vm.prank(user3); festivalPass.buyPass{value: 0.05 ether}(1);

// Total 4 passes minted against maxSupply=2

assertEq(festivalPass.balanceOf(user1, 1) + festivalPass.balanceOf(user2, 1)

+ festivalPass.balanceOf(user3, 1), 3);

assertEq(festivalPass.passMaxSupply(1), 2);

}

Three passes minted against a maxSupply of 2 after one reconfiguration — the cap is bypassed.

Recommended Mitigation

function configurePass(uint256 passId, uint256 price, uint256 maxSupply) external onlyOrganizer {

require(passId == GENERAL_PASS || passId == VIP_PASS || passId == BACKSTAGE_PASS, "Invalid pass ID");

require(price > 0, "Price must be greater than 0");

require(maxSupply > 0, "Max supply must be greater than 0");

require(maxSupply >= passSupply[passId], "Max supply below already sold");

passPrice[passId] = price;

passMaxSupply[passId] = maxSupply;

// REMOVED: passSupply[passId] = 0;

}

Removing the supply reset preserves the sold count, and the new require(maxSupply >= passSupply) check prevents lowering the cap below already-sold passes — maintaining the supply invariant across reconfigurations.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 1 hour ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-01] [H-1] Reseting the current pass supply to 0 in the FestivalPass::configurePass function allows users to bypass the max supply cap of a pass

# \[H-1] Reseting the current pass supply to `0` in the `FestivalPass::configurePass` function allows users to bypass the max supply cap of a pass ## Description: ```solidity function configurePass(uint256 passId, uint256 price, uint256 maxSupply) external onlyOrganizer { require(passId == GENERAL_PASS || passId == VIP_PASS || passId == BACKSTAGE_PASS, "Invalid pass ID"); require(price > 0, "Price must be greater than 0"); require(maxSupply > 0, "Max supply must be greater than 0"); passPrice[passId] = price; passMaxSupply[passId] = maxSupply; @> passSupply[passId] = 0; // Reset current supply } ``` If you reset `passSupply[passId]` to `0` in the `FestivalPass::configurePass` function after passes have been sold, the next buyer will be able to mint as if no passes have been sold. This allows the total minted passes to exceed `passMaxSupply`, which is a serious vulnerability (a supply cap bypass) ## Impact: * Supply caps become meaningless: The users can mint unlimited passes beyond the intended maximum supply * Pass scarcity and value are destroyed, affecting the economic model ## Proof of Concept: ```solidity function test_SupplyCapBypassVulnerability() public { // Step 1: Configure a pass with max supply of 2 vm.prank(organizer); festivalPass.configurePass(1, GENERAL_PRICE, 2); // Step 2: Buy 2 passes (reaching max supply) vm.prank(user1); festivalPass.buyPass{value: GENERAL_PRICE}(1); vm.prank(user2); festivalPass.buyPass{value: GENERAL_PRICE}(1); // Verify max supply reached assertEq(festivalPass.passSupply(1), 2); assertEq(festivalPass.passMaxSupply(1), 2); // Step 3: Try to buy another pass - should fail address user3 = makeAddr("user3"); vm.deal(user3, 10 ether); vm.prank(user3); vm.expectRevert("Max supply reached"); festivalPass.buyPass{value: GENERAL_PRICE}(1); // Step 4: VULNERABILITY - Organizer reconfigures the pass // This resets passSupply[1] to 0, bypassing the supply cap! vm.prank(organizer); festivalPass.configurePass(1, GENERAL_PRICE, 2); // Step 5: Now we can buy more passes even though max supply was already reached vm.prank(user3); festivalPass.buyPass{value: GENERAL_PRICE}(1); // Step 6: We can even buy more passes beyond the original max supply vm.deal(user4, 10 ether); vm.prank(user4); festivalPass.buyPass{value: GENERAL_PRICE}(1); // Step 7: Verify the vulnerability - total supply exceeds max supply assertEq(festivalPass.passSupply(1), 2); // Current supply counter assertEq(festivalPass.passMaxSupply(1), 2); // Max supply limit // But we actually have 4 passes minted in total! assertEq(festivalPass.balanceOf(user1, 1), 1); assertEq(festivalPass.balanceOf(user2, 1), 1); assertEq(festivalPass.balanceOf(user3, 1), 1); assertEq(festivalPass.balanceOf(user4, 1), 1); // Total minted: 4 passes, but max supply is only 2! uint256 totalMinted = festivalPass.balanceOf(user1, 1) + festivalPass.balanceOf(user2, 1) + festivalPass.balanceOf(user3, 1) + festivalPass.balanceOf(user4, 1); assertGt(totalMinted, festivalPass.passMaxSupply(1), "VULNERABILITY: Total minted exceeds max supply!"); } ``` ## Recommended Mitigation: The `passSupply` reset should be removed ```diff function configurePass(uint256 passId, uint256 price, uint256 maxSupply) external onlyOrganizer { require(passId == GENERAL_PASS || passId == VIP_PASS || passId == BACKSTAGE_PASS, "Invalid pass ID"); require(price > 0, "Price must be greater than 0"); require(maxSupply > 0, "Max supply must be greater than 0"); passPrice[passId] = price; passMaxSupply[passId] = maxSupply; - passSupply[passId] = 0; } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!