Normally, when someone buys a festival pass, they pay ETH and get one pass.
The problem is that the contract gives out the pass before updating the supply count. This lets an attacker call the function again (using a smart contract) before the supply is updated, so they can get more passes for the same payment.
Likelihood:
This will happen if an attacker uses a contract to call buyPass() and re-enter during the token transfer.
The attacker can do this as long as the contract allows reentrancy and the supply is not updated first.
Impact:
The attacker can get many passes for the price of one.
The festival loses money and the pass supply limit is broken.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.