Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: low

Invalid

Empty Session Vulnerability: Contract Allows Sessions with No Students or Teachers

dynamo

Summary

The startSession function in the LevelOne contract fails to verify that there are enrolled students and registered teachers before initiating an educational session. This allows the principal to create empty sessions that serve no educational purpose, violating the core business logic of the school contract.

Vulnerability Details

function startSession(

uint256 _cutOffScore

) public onlyPrincipal notYetInSession {

sessionEnd = block.timestamp + 4 weeks;

inSession = true;

cutOffScore = _cutOffScore;

emit SchoolInSession(block.timestamp, sessionEnd);

}

The function performs no validation of:

The existence of teachers (listOfTeachers.length > 0)
The enrollment of students (listOfStudents.length > 0)

This vulnerability enables the creation of sessions that have no educational participants, bypassing the fundamental purpose of the contract.

Impact

While this issue doesn't directly result in fund loss, it allows for:

Bypass of Educational Requirements: The contract's primary purpose is to track and validate educational processes, which is undermined when sessions can exist without teachers or students.
System State Inconsistency: Empty sessions create an illogical state in the system where educational activities are marked as occurring with no participants.
Administrative Process Violation: Even with trusted administrators (principals), this represents a gap in the contract's validation logic that could lead to improper record-keeping.
Downstream Process Disruption: Any processes that rely on session data (such as graduation or reviews) would be operating on invalid assumptions if they interact with empty sessions.

Tools Used

Manual Review

Recommendations

Add validations to ensure that educational sessions can only be started when both teachers and students are present:

function startSession(uint256 _cutOffScore) public onlyPrincipal notYetInSession {

// Ensure there are teachers to conduct the session

require(listOfTeachers.length > 0, "No teachers available");

// Ensure there are students enrolled

require(listOfStudents.length > 0, "No students enrolled");

sessionEnd = block.timestamp + 4 weeks;

inSession = true;

cutOffScore = _cutOffScore;

emit SchoolInSession(block.timestamp, sessionEnd);

}

While the principal may be a trusted entity, these validations provide guardrails that maintain the logical integrity of the system and prevent accidental misuse.

POC

function testEmptySessionAttack() public {

// Setup with a principal but no teachers or students

deployBot = new DeployLevelOne();

proxyAddress = deployBot.deployLevelOne();

levelOneProxy = LevelOne(proxyAddress);

// Verify no teachers or students

uint256 teacherCount = levelOneProxy.getTotalTeachers();

uint256 studentCount = levelOneProxy.getTotalStudents();

console.log("====== INITIAL STATE ======");

console.log("Number of teachers:", teacherCount);

console.log("Number of students:", studentCount);

assert(teacherCount == 0);

assert(studentCount == 0);

// Principal can still start a session

console.log("\n====== STARTING SESSION ======");

console.log("Session status before:", levelOneProxy.getSessionStatus());

vm.prank(principal);

levelOneProxy.startSession(70);

// Session is active with no participants

bool sessionActive = levelOneProxy.getSessionStatus();

console.log("Session status after:", sessionActive);

console.log("Cut-off score set to:", levelOneProxy.cutOffScore());

assert(sessionActive == true);

}

Output

====== INITIAL STATE ======

Number of teachers: 0

Number of students: 0

====== STARTING SESSION ======

Session status before: false

Session status after: true

Cut-off score set to: 70

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Design choice

yeahchibyke Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.