Beatland Festival

AI First Flight #4

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Reward_Overflow

cheng10101

Root + Impact

Description

Normal behavior

createPerformance allows the organizer to define a new performance with a base BEAT reward that users receive when calling attendPerformance.
The reward is expected to be multiplied by a pass-based multiplier and safely distributed to attendees during an active performance.
Specific issue

The reward parameter is not validated for upper bounds when creating a performance.
If an excessively large baseReward is configured, the reward calculation inside attendPerformance can overflow when multiplied by the pass multiplier.
In Solidity ^0.8.x, this arithmetic overflow triggers a panic and causes the entire transaction to revert, preventing any user from successfully attending the performance.

// Root cause in the codebase with @> marks to highlight the relevant section

function createPerformance(

uint256 startTime,

uint256 duration,

uint256 reward

) external onlyOrganizer returns (uint256) {

require(startTime > block.timestamp, "Start time must be in the future");

require(duration > 0, "Duration must be greater than 0");

performances[performanceCount] = Performance({

startTime: startTime,

endTime: startTime + duration,

// @> baseReward has no upper bound check and can overflow later

baseReward: reward

});

emit PerformanceCreated(performanceCount, startTime, startTime + duration);

return performanceCount++;

}

Risk

Likelihood:

This occurs whenever an organizer configures a performance with a reward value that exceeds the safe arithmetic range once multipliers are applied.
No safeguards prevent accidental misconfiguration or malicious parameter selection.

Impact:

All calls to attendPerformance for the affected performance revert, resulting in a denial of service for participants.
Performances can become permanently unusable, disrupting protocol functionality and user trust.

Proof of Concept

function test_Reward_Overflow() public {

vm.prank(organizer);

festivalPass.configurePass(

BACKSTAGE_PASS,

10 ether,

);

vm.prank(organizer);

uint256 performanceID = festivalPass.createPerformance(

block.timestamp + 1,

2 hours,

type(uint256).max

);

vm.deal(user1, 10 ether);

vm.prank(user1);

festivalPass.buyPass{value: 10 ether}(BACKSTAGE_PASS);

// Warp to active performance window

vm.warp(block.timestamp + 1 hours + 2);

vm.prank(user1);

vm.expectRevert(stdError.arithmeticError);

festivalPass.attendPerformance(performanceID);

}

This demonstrates that an excessively large baseReward causes an arithmetic overflow during reward calculation, reverting the transaction and blocking participation.

Recommended Mitigation

Introduce an upper bound check on reward to ensure that reward calculations remain within safe arithmetic limits even after applying the maximum multiplier.

function createPerformance(

uint256 startTime,

uint256 duration,

uint256 reward

) external onlyOrganizer returns (uint256) {

+ require(reward <= type(uint256).max / BACKSTAGE_PASS, "Reward too large");

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 2 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!