The contract’s normal behavior is that a user who owns a festival pass can attend a performance once, and upon attendance, receives BEAT token rewards based on their pass type. The attendance is recorded per address, so repeated attendance by the same address is prevented during the same performance.
The specific issue is that the attendance and reward system tracks attendance only at the address level (hasAttended[performanceId][address]
) without associating the attendance or rewards with the actual NFT pass tokens. Because passes are transferable, a single pass token can be transferred to many different addresses, each able to attend the same performance separately and collect rewards. This enables an attacker to farm rewards by passing a single pass among multiple addresses, each earning full BEAT rewards, effectively allowing unlimited inflation of BEAT tokens.
Likelihood:
The issue occurs whenever a pass token is transferred to multiple different addresses that sequentially attend the same performance, each receiving BEAT rewards.
The ERC1155 pass tokens are transferable without any transfer restrictions or staking, enabling easy rotation of the pass among many addresses for farming.
Impact:
Unlimited and repeated BEAT token rewards can be minted without requiring additional passes or payments, causing severe token inflation.
Damage to the festival tokenomics and reward system integrity, resulting in unfair advantages and potentially devaluing BEAT tokens.
The following PoC demonstrates how an attacker who owns a single VIP Pass token can exploit the contract’s reward system by repeatedly transferring the same token to multiple addresses to claim attendance rewards multiple times for the same performance. Each new address that receives the pass token is treated independently by the contract, allowing them to attend and earn BEAT tokens despite the pass token being the same. This behavior results in unlimited farming of rewards using just one pass, which violates the intended one-reward-per-pass-per-performance model and directly inflates the BEAT token supply.
Alternatively,
Implementing either modification prevents the same pass token from being used multiple times to farm attendance rewards across different addresses.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.