Beatland Festival
First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Missing Cooldown & Replay Protection in attendPerformance()

viveksh0062

Root + Impact

Description

  • The attendPerformance(uint256 performanceId) function allows a user to check into a performance and earn BEAT tokens. However, there is no enforced cooldown or usage tracking in interface, and no clear guidance for implementation to:

    • Prevent same user attending same performance multiple times

    • Prevent flashbots/mempool exploit to attend many times quickly

    Without protection, the user can spam attendPerformance() within the same block or across short time spans.

// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

  • Reason 1 // Describe WHEN this will occur (avoid using "if" statements)

  • Reason 2

Impact:

  • Infinite BEAT token minting

  • BEAT token value collapse

  • Game-theory imbalance among users

  • Replay attacks using flashbots, sandwiching real users

Proof of Concept

// Spamming attend in a loop — if allowed by implementation
for (uint i = 0; i < 10; i++) {
festivalPass.attendPerformance(1); // Rewards 10x BEAT tokens
}

Recommended Mitigation

In implementation:

✅ Track (user, performanceId) attendance in a mapping:

✅ Reject repeat calls:

✅ Optionally track and enforce minimum interval (lastAttendTimestamp)

  • ✅ Add anti-bot verification (e.g., signature proof or off-chain gating)

mapping(address => mapping(uint256 => bool)) public hasAttended;
require(!hasAttended[msg.sender][performanceId], "Already attended");
hasAttended[msg.sender][performanceId] = true;
Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.