Submission Details
Impact:
Likelihood:
Attending fake performances because of missing check
Description
-
Normally, users should only be able to attend real performances and get BEAT tokens as a reward.
-
The problem is the contract does not check if a performance actually exists. It only checks if the performance is "active," but this can be true for a performance that was never created.
// This lets users attend a performance that doesn't exist
function attendPerformance(uint256 performanceId) external {
require(isPerformanceActive(performanceId), "Performance is not active");
}
Risk
Likelihood:
-
This will happen if someone tries to attend a performance with a made-up ID.
-
The contract will let them in if the default values make it look "active."
Impact:
-
Users can get BEAT tokens for fake performances.
-
The BEAT token supply can be drained and the event logic is broken.
Proof of Concept
// User calls this with a fake performance ID
festivalPass.attendPerformance(999); // 999 does not exist
// The contract lets them attend and get tokens
Recommended Mitigation
function attendPerformance(uint256 performanceId) external {
- require(isPerformanceActive(performanceId), "Performance is not active");
+ require(performances[performanceId].startTime > 0, "Performance does not exist");
+ require(isPerformanceActive(performanceId), "Performance is not active");
}
Updates
Rewards breakdown
nSLOC
234This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.