Normally, the attendPerformance()
function checks for a cooldown period between attendances using lastCheckIn[msg.sender] + COOLDOWN
, which is intended to prevent rapid farming.
However, this cooldown is global per user, and not tied to each performance. As a result, a user can attend multiple overlapping performances one after the other — within a single block — without violating the cooldown.
Likelihood:
This will occur when multiple performances overlap in time — which is likely during festivals or concurrent shows.
An attacker can call attendPerformance()
for each active performance rapidly.
Impact:
Enables rapid BEAT farming across multiple performances.
Undermines cooldown intent and encourages bots to game the system.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.