Multiple functions like buyPass()
, redeemMemorabilia()
, attendPerformance()
are marked externally callable with no reference to access control modifiers (like onlyOwner
, onlyOrganizer
, etc.).
Impact:
Unauthorized purchases or redemptions
Free BEAT token farming
Mint spam (DoS via NFT flooding)
Document expected modifiers in interface via comments, and enforce them strictly in the implementation.
Example:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.