baseReward
— Accidental BEAT Hyper-InflationNormal behaviour: createPerformance()
should mint a reasonable amount of BEAT tokens to attendees based on the organiser-defined baseReward
.
Issue: The function places no upper bound on reward
. A fat-finger mistake (e.g. 1e60
) or a malicious organiser can schedule a performance whose payout dwarfs the total BEAT supply, breaking token economics instantly.
Likelihood:
Human data-entry errors are common; a misplaced decimal could set reward
to 10¹⁸ times intended value.
No UI guard rails if transactions are crafted offline.
Impact:
A single attendance call would mint astronomical BEAT, immediately devaluing the token and harming all holders.
Emergency contract upgrade or migration would be required.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.