Beatland Festival
First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: high
Invalid

Zero Reward Performance Undermines Incentive

bigchapo21

DESCRIPTION: Normally, users purchase festival passes to attend virtual performances, with the expectation of earning BEAT tokens as a reward for their participation. The createPerformance function is designed for the Organizer to configure these performances, including setting a reward amount. The specific issue is that the createPerformance function allows the Organizer to set this reward to zero, which means attendees will participate in the performance and spend gas without receiving any BEAT tokens, directly undermining the core incentive mechanism of the protocol.
In FestivalPass.sol, the createPerformance function lacks a validation check to ensure that the reward parameter is greater than zero.This allows an onlyOrganizer to configure a performance that, despite being an "earning opportunity" for attendees (as implied by the attendPerformance function's name and purpose), will yield no BEAT tokens. Consequently, when attendPerformance calls BeatToken(beatToken).mint(msg.sender, performances[performanceId].baseReward * multiplier);, a 0 amount will be minted if baseReward was set to 0.

function createPerformance(
uint256 startTime,
uint256 duration,
uint256 reward
) external onlyOrganizer returns (uint256) {
require(startTime > block.timestamp, "Start time must be in the future");
require(duration > 0, "Duration must be greater than 0");
// Set start/end times
performances[performanceCount] = Performance({
startTime: startTime,
endTime: startTime + duration,
baseReward: reward
});
emit PerformanceCreated(performanceCount, startTime, startTime + duration);
return performanceCount++;
}

Risk

Likelihood: Medium

  • This will occur when an authorized Organizer inadvertently sets the reward parameter to 0 during the createPerformance function call.

  • This will also occur if a malicious Organizer intentionally sets the reward to 0 to cause user frustration or waste user gas.

Impact: Medium

  • Wasted User Resources: Attendees incur gas fees for attendPerformance transactions that yield no benefit, representing a direct financial loss for the user.

  • Broken Core Protocol Incentive: The fundamental incentive mechanism for user engagement (earning BEAT for attendance) is undermined, potentially leading to reduced user participation and protocol adoption.

  • Negative User Experience & Reputational Damage: Users may feel misled or that their time and resources are wasted, leading to frustration and a loss of trust in the protocol.

  • Loss of Expected Value/Utility: Attendees participate in a core protocol activity ("Attend a performance to earn BEAT") but receive no BEAT tokens, directly losing the expected reward.

Proof of Concept

Recommended Mitigation

Add a require statement in the createPerformance function to ensure that the reward parameter is always greater than zero. This will prevent Organizers from inadvertently or maliciously creating performances that yield no BEAT tokens for attendees.
function createPerformance(
uint256 startTime,
uint256 duration,
uint256 reward
) external onlyOrganizer returns (uint256) {
require(startTime > block.timestamp, "Start time must be in the future");
require(duration > 0, "Duration must be greater than 0");
+ require(reward > 0, "Reward must be greater than 0"); // Add this line
// Set start/end times
performances[performanceCount] = Performance({
startTime: startTime,
endTime: startTime + duration,
baseReward: reward
});
emit PerformanceCreated(performanceCount, startTime, startTime + duration);
return performanceCount++;
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.