Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: high

Invalid

Pass Quantity Reward Logic Inconsistency Creates Economic Inefficiency

nomadic_bear

Root + Impact

Description

The getMultiplier() function is designed to provide reward multipliers based on pass tier ownership, with BACKSTAGE passes receiving 3x rewards, VIP passes receiving 2x rewards, and GENERAL passes receiving 1x rewards. Under normal economic logic, users who invest more heavily in the festival by purchasing multiple passes should receive proportional benefits that reflect their increased investment and commitment to the ecosystem.
However, the reward multiplier system only considers the highest tier pass owned rather than the quantity of passes purchased, meaning a user with 1 BACKSTAGE pass receives identical 3x rewards as a user with 100 BACKSTAGE passes. This creates an economic inefficiency where increased investment beyond the first pass of each tier provides no additional reward benefits, potentially discouraging larger investments and creating unclear value propositions for bulk pass purchases.

function getMultiplier(address user) public view returns (uint256) {

@> if (balanceOf(user, BACKSTAGE_PASS) > 0) {

@> return 3; // Fixed 3x regardless of quantity owned

@> } else if (balanceOf(user, VIP_PASS) > 0) {

@> return 2; // Fixed 2x regardless of quantity owned

@> } else if (balanceOf(user, GENERAL_PASS) > 0) {

@> return 1; // Fixed 1x regardless of quantity owned

}

return 0; // No pass

}

The vulnerability exists in the boolean logic where the function only checks if the user owns any passes (> 0) rather than considering the actual quantity owned. This creates a flat reward structure that doesn't scale with investment, contradicting typical economic models where larger investments yield proportionally higher returns.

Risk

Likelihood:

The inconsistency manifests immediately whenever any user purchases multiple passes of the same tier, which is expected behavior for collectors, investors, or users seeking multiple festival experiences.
The issue affects all users who make bulk purchases or acquire multiple passes through any means, requiring no special conditions or complex scenarios to trigger the economic inefficiency.

Impact:

Economic inefficiency where users receive no additional reward benefits for increased investment beyond the first pass of each tier, potentially reducing protocol revenue from users who might otherwise purchase multiple passes for enhanced benefits.
Unclear value proposition for bulk pass purchases creates user confusion about the economic benefits of larger investments, but does not result in direct fund loss or security vulnerabilities, only suboptimal economic design that may reduce user engagement and investment incentives.

Proof of Concept

Recommended Mitigation

The fix implements quantity-based reward scaling that provides diminishing returns for additional passes while maintaining the base tier structure. This creates a clearer value proposition for bulk purchases, encourages increased investment in the protocol, and aligns the reward system with typical economic models where larger investments yield proportionally higher (though diminishing) returns.

function getMultiplier(address user) public view returns (uint256) {

+ uint256 backstagePasses = balanceOf(user, BACKSTAGE_PASS);

+ uint256 vipPasses = balanceOf(user, VIP_PASS);

+ uint256 generalPasses = balanceOf(user, GENERAL_PASS);

+ // Calculate multiplier based on highest tier and quantity

+ if (backstagePasses > 0) {

+ return 3 + (backstagePasses - 1) / 2; // 3x base + 0.5x per additional pass

+ } else if (vipPasses > 0) {

+ return 2 + (vipPasses - 1) / 3; // 2x base + 0.33x per additional pass

+ } else if (generalPasses > 0) {

+ return 1 + (generalPasses - 1) / 5; // 1x base + 0.2x per additional pass

- if (balanceOf(user, BACKSTAGE_PASS) > 0) {

- return 3;

- } else if (balanceOf(user, VIP_PASS) > 0) {

- return 2;

- } else if (balanceOf(user, GENERAL_PASS) > 0) {

- return 1;

}

return 0;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge

27 days ago

inallhonesty Lead Judge 25 days ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.