Logical Flaw: Missing Per-Address Cap Leads to Asset Utility Loss and Ecosystem Centralization

Description

The buyPass function currently lacks a purchase validation mechanism, allowing a single address to mint an unlimited number of passes. This creates two critical issues: first, it leads to significant capital inefficiency for users who may inadvertently purchase multiple passes, unaware that rewards do not scale with quantity, resulting in a permanent loss of funds due to the redundant nature of the assets. Second, the absence of a purchase limit, combined with the lack of transfer restrictions, enables a 'Whale' or malicious actor to monopolize the supply. By distributing these passes across numerous sub-wallets, an attacker can unfairly capture a disproportionate share of the reward pool, undermining the protocol's democratic distribution and harming the long-term fairness of the ecosystem.

Risk

Likelihood:

There is a strong financial incentive for whales to hoard passes if the rewards are valuable, and accidental over-purchasing is highly possible for retail users.

Impact:

Users face financial loss by buying redundant passes with no extra rewards, while attackers can monopolize rewards through Sybil attacks, harming ecosystem fairness.

Proof of Concept

A single user can exhaust the entire supply of passes.

Recommended Mitigation

Implement a per-address limit to one pass by adding a mapping check in the buyPass function.