Summary

Potential blockage of payments to all teachers and the principal in the graduateAndUpgrade function due to a single failed transfer to a blacklisted address.

Vulnerability Details

The graduateAndUpgrade function in the LevelOne contract iterates through the listOfTeachers array to pay each teacher their share of the bursary and then pays the principal. If the usdc.safeTransfer() to the principal or any teacher's address fails (e.g., if the teacher's or principals address is blacklisted by the usdc token contract), the entire transaction will revert, preventing any teacher or the principal from receiving their payment. This creates a vulnerability where a single problematic teacher or principal address can block all payments.

Impact

• Payment Blockage: All teachers and the principal can be denied their rightful payments if a transfer to even one teacher fails.

Tools Used

Manual code review and analysis.

Recommendations

Implement Individual Withdrawal Mechanism: Instead of transferring funds to all teachers and the principal within the graduateAndUpgrade function, create a separate withdrawPayment() function that each teacher and the principal can call individually to claim their payment.