Beatland Festival

Description:

The FestivalPass contract implements passes as standard ERC1155 tokens that can be freely transferred between addresses. Since attendance tracking and cooldown periods are tied to user addresses rather than pass ownership at the time of attendance, multiple users can share a single pass to attend different performances and earn BEAT tokens. This breaks the intended economic model where each user should purchase their own pass to participate in the festival ecosystem.

Attack path:

1. User A purchases a festival pass using buyPass() (e.g., VIP pass for 0.1 ETH)

2. User A attends a performance via attendPerformance() and earns BEAT tokens with their multiplier

3. User A transfers the pass to User B using standard ERC1155 safeTransferFrom()

4. User B waits for the 1-hour cooldown period to expire

5. User B attends a different performance using the same pass and earns BEAT tokens

6. User B transfers the pass to User C, who repeats the process

7. This cycle continues indefinitely with new users, allowing unlimited BEAT token generation from a single pass purchase

Impact:

The protocol receives ETH payment for only one pass but distributes BEAT rewards to unlimited users

Excessive token minting without corresponding ETH revenue dilutes token value

Organizers lose potential pass sales as users share passes instead of purchasing individual ones

Recommended Mitigation:

Override ERC1155 transfer functions to prevent pass transfers