Normally, users should only be able to attend real performances and get BEAT tokens as a reward.
The problem is the contract does not check if a performance actually exists. It only checks if the performance is "active," but this can be true for a performance that was never created.
Likelihood:
This will happen if someone tries to attend a performance with a made-up ID.
The contract will let them in if the default values make it look "active."
Impact:
Users can get BEAT tokens for fake performances.
The BEAT token supply can be drained and the event logic is broken.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.