Beatland Festival
First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Pass reconfiguration resets supply counter enabling overselling beyond safety limits

anchabadze

Description

The configurePass() function allows organizers to update pass pricing and maximum supply limits, but contains a critical flaw where it resets the current supply counter (passSupply[passId] = 0) regardless of how many passes have already been sold.

function configurePass(uint256 passId, uint256 price, uint256 maxSupply) external onlyOrganizer {
require(passId == GENERAL_PASS || passId == VIP_PASS || passId == BACKSTAGE_PASS, "Invalid pass ID");
require(price > 0, "Price must be greater than 0");
require(maxSupply > 0, "Max supply must be greater than 0");
passPrice[passId] = price;
passMaxSupply[passId] = maxSupply;
passSupply[passId] = 0; // @audit <<<<<
}

This reset allows the protocol to sell additional passes up to the new maximum limit, potentially resulting in total sales that far exceed the intended capacity limits.

Docs states "...attend virtual(or not) performances...". Since festival venues have physical capacity constraints for safety reasons, this vulnerability can lead to dangerous overcrowding situations.

Attack path:

  1. Organizer initially configures VIP passes: configurePass(2, 0.1 ether, 100) setting maximum supply to 100

  2. Users purchase 90 VIP passes through buyPass(), bringing passSupply[VIP_PASS] to 90

  3. Organizer calls configurePass() again to update pricing: configurePass(2, 0.15 ether, 100)

  4. The function resets passSupply[VIP_PASS] = 0 despite 90 passes already being sold

  5. Protocol now allows 100 additional VIP passes to be sold through buyPass()

  6. Total VIP passes in circulation: 190 (90 original + 100 new) exceeding the intended 100 limit

  7. 190 VIP holders attempt to access a venue designed for maximum 100 VIP attendees

Impact:

Venue overcrowding beyond designed capacity limits creates risk of injuries, stampedes, and emergency evacuation difficulties

Exceeding fire safety and building capacity codes may result in legal liability and event shutdown

Overcrowding hampers emergency services access and crowd management

Overcrowded VIP areas lose exclusivity value and comfort promised to premium ticket holders

Organizers can intentionally exploit this to oversell passes for financial gain at the expense of safety

Safety incidents or poor experiences damage festival brand and future attendance

Recommended Mitigation:

Remove the supply counter reset from configurePass() and add validation:

function configurePass(uint256 passId, uint256 price, uint256 maxSupply) external onlyOrganizer {
require(passId == GENERAL_PASS || passId == VIP_PASS || passId == BACKSTAGE_PASS, "Invalid pass ID");
require(price > 0, "Price must be greater than 0");
require(maxSupply >= passSupply[passId], "New max supply cannot be less than current supply");
passPrice[passId] = price;
passMaxSupply[passId] = maxSupply;
- passSupply[passId] = 0;
}

Alternatively, implement separate functions for price updates vs initial configuration to prevent accidental supply resets.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

configurePass resets the current pass supply circumventing the max supply check

This is not acceptable as high because any attack vectors related to organizer trying to milk ETH from participants is voided by the fact that the organizer is trusted.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.