Beatland Festival

First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Submission Details
Impact: low
Likelihood: low
Invalid

Weak Validation of `performanceId` — Wasted Gas & Ambiguous Errors

Weak Validation of performanceId — Wasted Gas & Ambiguous Errors

Description

  • Normal behaviour: User calls attendPerformance(performanceId) with an ID that exists.

  • Issue: The function does not check whether performanceId is < performanceCount. If the caller passes a random large number, the function fetches an empty struct (startTime == 0) and reverts with "Performance is not active" after needless gas is spent.

function attendPerformance(uint256 performanceId) external {
@> require(isPerformanceActive(performanceId), "Performance is not active");
...
}

Risk

Likelihood:

  • Accidental user error or malicious griefing transaction can trigger the revert at any time.

Impact:

  • Each failed call burns ~20k gas; miners profit, users lose ETH.

  • Error message ambiguous; front-end may mis-diagnose the problem.

Proof of Concept

// With zero performances scheduled:
festivalPass.attendPerformance(123); // costs gas, reverts "not active"

Recommended Mitigation

function attendPerformance(uint256 performanceId) external {
+ require(performanceId < performanceCount, "Invalid performance id");
require(isPerformanceActive(performanceId), "Performance is not active");
...
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.