Summary

The graduateAndUpgrade() function allows the principal to upgrade the system to a new contract version. However, it lacks validation checks to ensure that the school session has ended and that students have received their mandatory 4 reviews.

Vulnerability Details

According to the rules of the system, a session must:

• Last exactly 4 weeks,

• Require all students to have received 4 reviews,

• Ensure only passing students are graduated.

None of these conditions are enforced before calling _authorizeUpgrade() inside graduateAndUpgrade(). This could allow an upgrade to take place prematurely, potentially breaking state logic or graduation flow.

Impact

A malicious or careless principal could upgrade the contract:

• Before the 4-week session ends,

• Before all students are reviewed,

• With students who did not meet the cutOffScore still marked as active.

This can lead to logical inconsistencies in the system and violate business rules, breaking the core intended behavior of Hawk High School.

Tools Used

Manual review

Recommendations

Add the following checks before _authorizeUpgrade():

require(block.timestamp >= sessionEnd, "Session not yet ended");

for (uint256 i = 0; i < listOfStudents.length; i++) {
address student = listOfStudents[i];
require(reviewCount[student] == 4, "Incomplete reviews");
require(studentScore[student] >= cutOffScore, "Student failed");
}

*Also consider emitting an event after a successful upgrade to improve traceability.