Beatland Festival
First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: high
Invalid

Missing Cooldown in attendPerformance

bitmark

Root + Impact

Description

The attendPerformance function lacks a mechanism to restrict users from attending the same performance multiple times. Without a cooldown or attendance-tracking check, users can repeatedly call this function and receive BEAT token rewards each time. This undermines the reward system and allows malicious actors to drain tokens.

// attendPerformance function

Risk

Likelihood

  • Function is publicly accessible.

  • No mapping or timestamp check prevents duplicate attendance.

  • Attackers can automate repeated reward claims.

Impact

  • Inflation of BEAT tokens.

  • Unfair advantage to attackers.

  • Devaluation of rewards for legitimate users.

Proof of Concept

for (uint256 i = 0; i < 100; i++) {
fp.attendPerformance(1); // called repeatedly for same performanceId
}
//If there is no guard (e.g., hasAttended[user][performanceId]), this loop will grant 100x the intended reward to a single user.

Recommended Mitigation

#Introduce a hasAttended mapping to track user attendance per performance. Ensure each user can attend a performance only once.
- function attendPerformance(uint256 performanceId) external {
- rewards[msg.sender] += calculateReward(performanceId);
- }
+ mapping(address => mapping(uint256 => bool)) public hasAttended;
+ function attendPerformance(uint256 performanceId) external {
+ require(!hasAttended[msg.sender][performanceId], "Already attended");
+ hasAttended[msg.sender][performanceId] = true;
+ rewards[msg.sender] += calculateReward(performanceId);
+ }
Updates

Lead Judging Commences

inallhonesty Lead Judge
3 months ago
inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.