Hawk High

First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Submission Details
Severity: low
Valid

[M-3] Missing Session-End Check Allows Premature Graduation and Upgrade

Summary

The graduateAndUpgrade function in the LevelOne contract lacks any enforcement that the school session has ended before allowing an upgrade. As a result, the contract can be upgraded—and graduation logic executed—immediately after deployment, bypassing the intended time-based lockout controlled by sessionEnd. This single flaw breaks the invariant that graduation may only occur once the session has concluded.

Vulnerability Details

In the UUPS proxy pattern, the implementation contract bears responsibility for both business and upgrade logic, delegating calls from the proxy to itself for upgradeTo and _authorizeUpgrade handling Documentation - OpenZeppelin Docs. While the contract correctly restricts _authorizeUpgrade to the principal, it entirely omits any check of block.timestamp against sessionEnd within either graduateAndUpgrade or _authorizeUpgrade. Consequently, a call to

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal { … }

can be made at any time, irrespective of whether the period defined by

sessionEnd = block.timestamp + 4 weeks;

has elapsed. This defeats the very purpose of sessionEnd, rendering the time-based control over graduation a no-op and allowing premature or repeated upgrades.

Impact

A malicious or compromised principal can trigger graduation immediately, without waiting the intended 4-week term.

Recommendations

In order to fix this issue, consider using a modifier that checks whether the session has ended or not:

modifier sessionEnded() {
require(block.timestamp >= sessionEnd, "Session not ended");
_;
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

can graduate without session end

`graduateAndUpgrade()` can be called successfully even when the school session has not ended

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.