Root + Impact

Description

• a single pass token can be used by multiple people to claim multiple rewards in one performance by rapid transfers.

Risk

Likelihood:

• Reason 1 : This occurs when a user attends a performance, then transfers their pass to another wallet during the same event. The new wallet can also attend and claim rewards because attendance is tracked per address, not per pass.

  
  

• Reason 2 : ERC-1155 passes are easily transferable. Users can automate pass transfers across multiple wallets to farm BEAT tokens from the same performance using a single pass.

  
  

Impact:

• Impact 1 : Multiple wallets can farm BEAT tokens from a single pass, inflating token supply and breaking the reward logic.

  
  

• Impact 2 : Undermines fairness — honest users get less value while malicious actors gain an unfair advantage, potentially devaluing the BEAT token.

Proof of Concept

• **User1 attends a performance and earns 100 BEAT tokens.**They buy a General pass (ID 1), attend a performance (perfId), and their address is marked as having attended. So far, everything works as expected.

• User1 transfers the same pass to User2, who also attends and earns 100 BEAT.

  Since hasAttended[perfId][user2] is still false (tracking is by address, not token), User2 is able to attend the same performance using the same pass and also earn 100 BEAT.

Recommended Mitigation

1. Attendance is tracked per token, not per address.

   By using hasPassTokenAttended[performanceId][passTokenId], the contract ensures that each pass token ID can only be used once per performance, regardless of who holds it.

2. Prevents reward farming via transfers.

   Even if the pass is transferred to another wallet, the new holder cannot attend the same performance again if the token has already been used — closing the loophole.