Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Zero-Reward Performances Can Be Created, Resulting in No BEAT Token Incentive

ishwar

Root + Impact

Description

Normally, the createPerformance function is expected to create events that award BEAT tokens to attendees as an incentive for participation.
However, the function allows the organizer to set the reward parameter to zero, which results in performances where users receive no BEAT token rewards even after attending. This can lead to confusion, poor user experience, and potentially undermine the tokenomics of the application.

function createPerformance(

uint256 startTime,

uint256 duration,

uint256 reward

) external onlyOrganizer returns (uint256) {

require(startTime > block.timestamp, "Start time must be in the future");

require(duration > 0, "Duration must be greater than 0");

// @> performances[performanceCount] = Performance({

// @> startTime: startTime,

// @> endTime: startTime + duration,

// @> baseReward: reward // <-- No validation for reward > 0

// @> });

emit PerformanceCreated(performanceCount, startTime, startTime + duration);

return performanceCount++;

}

Risk

Likelihood:

This will occur whenever the organizer (intentionally or accidentally) creates a performance with a reward value of zero.
No validation or restriction in the contract prevents organizers from setting a zero reward for performances.

Impact:

Attendees of such performances will receive no BEAT tokens, leading to confusing or disappointing user experience.
The existence of zero-reward performances could be exploited to create spam or "dummy" events, potentially impacting event and token credibility.

Proof of Concept

// The following demonstrates how an organizer can create a zero-reward event and its impact on users.

// Step 1: Organizer creates a performance with reward = 0.

festivalPass.createPerformance(

block.timestamp + 3600, // future start time

3600, // 1 hour duration

0 // ZERO reward

);

// Step 2: A user attends the performance, expecting a reward.

festivalPass.attendPerformance(performanceId); // No BEAT tokens are minted for the user

// As a result, users are not rewarded for their attendance, which can be confusing or frustrating.

Explanation:
This Proof of Concept shows that the organizer can create an event with a reward of zero, leading to a situation where users who attend receive no BEAT tokens. This can erode user trust and engagement with the platform.

Recommended Mitigation

- performances[performanceCount] = Performance({

- startTime: startTime,

- endTime: startTime + duration,

- baseReward: reward

- });

+ require(reward > 0, "Reward must be greater than 0");

+ performances[performanceCount] = Performance({

+ startTime: startTime,

+ endTime: startTime + duration,

+ baseReward: reward

+ });

Explanation:
By adding a require(reward > 0, "Reward must be greater than 0"); check before the performance is created, you prevent the creation of zero-reward events. This ensures all performances incentivize user participation and upholds the integrity of the platform's reward system.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.