Beatland Festival

Description:

The redeemMemorabilia function in the FestivalPass contract fails to verify that users actually attended the festival before allowing them to redeem memorabilia NFTs. The function only checks if the user has sufficient BEAT tokens and if the collection is active, but does not validate festival pass ownership or performance attendance. Since BEAT tokens are standard ERC20 tokens that can be freely transferred, users who never attended the festival can acquire BEAT tokens through secondary markets or transfers and redeem memorabilia intended as proof-of-attendance collectibles.

Attack path:

1. Real festival attendee purchases a pass using buyPass() and earns BEAT tokens by attending performances via attendPerformance()

2. Attacker acquires BEAT tokens through:

   • Direct transfer from the attendee using standard ERC20 transfer()

   • Purchase on secondary markets/DEXes

3. Attacker calls redeemMemorabilia(collectionId) with sufficient BEAT token balance

4. Contract burns attacker's BEAT tokens and mints unique memorabilia NFT without verifying festival attendance

5. Attacker now owns "proof-of-attendance" NFT despite never attending the festival

Impact:

• NFTs lose their value as genuine proof-of-attendance collectibles

• Non-attendees can acquire festival memorabilia without contributing to the festival economy through pass purchases

Recommended Mitigation:

Add attendance verification to the redeemMemorabilia function:

Alternatively, implement a soul-bound or non-transferable BEAT token mechanism specifically for memorabilia redemption to ensure only earned tokens can be used.