Beatland Festival

AI First Flight #4

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: low

Invalid

Unrestricted Zero-Reward Performance Configuration Causes Inconsistent BEAT Token Distribution and Breaks Reward Guarantees

purpledragon

Description

The protocol is designed to reward users with BEAT tokens for attending performances. However, the current implementation introduces two conditions that allow users to receive zero BEAT tokens despite valid participation:

General Pass holders receive no BEAT tokens upon pass purchase:

uint256 bonus =
(collectionId == VIP_PASS) ? 5e18 :
(collectionId == BACKSTAGE_PASS) ? 15e18 :
0;
The createPerformance() function allows reward = 0 without validation:

function createPerformance(
uint256 startTime,
uint256 duration,
uint256 reward
) external onlyOrganizer {
require(startTime > block.timestamp);
require(duration > 0);
// reward may be 0
}
BEAT tokens are minted solely based on the configured reward:

BeatToken(beatToken).mint(
msg.sender,
performances[performanceId].baseReward * multiplier
);

As a result, users—especially General Pass holders—can attend performances, pay gas, and still receive no BEAT tokens, despite the protocol being positioned as a reward-based system.

Impact

Primary Impact

Users may attend performances without receiving BEAT tokens.
Reward expectations are not consistently met.

Secondary Impact

Reduced incentive for General Pass holders to participate.
Confusion or dissatisfaction among users.
Misalignment between documentation, UI expectations, and on-chain behavior.

Proof of Concept (PoC)

Scenario

Organizer configures a General Pass.
Organizer creates a performance with:

reward = 0;
User purchases a General Pass (receives 0 BEAT bonus).
User attends the performance successfully.
attendPerformance() executes:

baseReward * multiplier = 0 * 1 = 0
User receives 0 BEAT tokens.

Result

User paid ETH and gas.
User followed protocol rules.
User received no BEAT reward.

Recommended Mitigation

Option A — Enforce Guaranteed Rewards (Strict Incentive Model)

Require all performances to distribute BEAT tokens:

require(reward > 0, "Reward must be greater than 0");

Conclusion

The protocol’s current design allows valid participation without BEAT rewards due to unrestricted zero-reward performance creation and the absence of General Pass bonuses. While not a security vulnerability, this behavior introduces incentive inconsistency and may conflict with user expectations. Enforcing a minimum reward or explicitly documenting zero-reward scenarios will restore clarity and reliability to the protocol’s reward mechanism.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!