FestivalPass.sol:createPerformance
does not check for duration of the performance properlyThe function FestivalPass.sol:createPerformance
only checks that the duration
is greater than zero. This mean performances with and extremely short duration (e.g 1 sec) is also allowed. Given the unpredictable timing of block confirmations, such a short window can result in :
Users being unable to participate or register attendance.
Increased risk of race conditions, where only one or few users succeed in interacting with the contract in time.
Potential DoS-style spamming of the platform with unusable events.
Likelihood:
In a blockchain environment where transactions are confirmed with delays, short durations are inherently prone to race conditions or failures for participants.
It is very easy for an organizer (malicious or negligent) to create a performance with a duration of 1–2 seconds.
Impact:
Performances lasting for 1 or 2 seconds could make it impossible for most users to interact
Malicious organizers could create many ultra-short performances that clog up event listings without offering meaningful participation opportunities.
Add a minimum duration threshold for performance for both minumum and maximum allowed duration for any performance
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.