Beatland Festival

First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Submission Details
Impact: high
Likelihood: high
Invalid

Attending fake performances because of missing check


Description

  • Normally, users should only be able to attend real performances and get BEAT tokens as a reward.

  • The problem is the contract does not check if a performance actually exists. It only checks if the performance is "active," but this can be true for a performance that was never created.

// This lets users attend a performance that doesn't exist
function attendPerformance(uint256 performanceId) external {
require(isPerformanceActive(performanceId), "Performance is not active");
}

Risk

Likelihood:

  • This will happen if someone tries to attend a performance with a made-up ID.

  • The contract will let them in if the default values make it look "active."

Impact:

  • Users can get BEAT tokens for fake performances.

  • The BEAT token supply can be drained and the event logic is broken.

Proof of Concept

// User calls this with a fake performance ID
festivalPass.attendPerformance(999); // 999 does not exist
// The contract lets them attend and get tokens

Recommended Mitigation

function attendPerformance(uint256 performanceId) external {
- require(isPerformanceActive(performanceId), "Performance is not active");
+ require(performances[performanceId].startTime > 0, "Performance does not exist");
+ require(isPerformanceActive(performanceId), "Performance is not active");
}

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 month ago
inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.