Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Multiple Uninitialized State Variables in School Management Contract

deucefury

Summary

The Slither static analyzer has identified four critical state variables in the LevelTwo contract that are declared but never initialized before being used in various getter functions. These variables include principal, listOfStudents, listOfTeachers, and usdc.

Vulnerability Details

Four state variables are declared but never initialized in the LevelTwo contract:

  1. principal (line 11): Used in the getPrincipal() function (lines 30-32)

  2. listOfStudents (line 19): Used in getTotalStudents() (lines 42-44) and getListOfStudents() (lines 46-48)

  3. listOfTeachers (line 20): Used in getTotalTeachers() (lines 38-40) and getListOfTeachers() (lines 50-52)

  4. usdc (line 26): Used in getSchoolFeesToken() (lines 34-36)

In Solidity, uninitialized state variables default to their "zero values":

  • For principal (likely an address): defaults to address(0)

  • For arrays listOfStudents and listOfTeachers: default to empty arrays

  • For usdc (likely an ERC20 token address): defaults to address(0)

These default values may lead to unexpected behavior when the getter functions are called, as they will return these default values instead of meaningful data.

Impact

Medium to High. The impact varies based on how these variables are used:

  1. principal: If authorization checks rely on this address, security controls might be bypassed.

  2. listOfStudents and listOfTeachers: Functions that return these lists or their lengths will return empty arrays/zero counts, potentially breaking frontend integrations or reporting.

  3. usdc: If this token address is used for financial operations, attempts to transfer or check balances may fail or revert.

The contract appears to be related to a school management system with financial components, suggesting that these uninitialized variables could affect administrative controls, reporting accuracy, and financial operations.

Tools Used

Slither static analysis tool

Recommendations

Initialize Variables in Constructor or Initialize Function

constructor(address _principal, address _usdc) {
principal = _principal;
usdc = _usdc;
// Arrays don't need initialization unless you want to prepopulate them
}

Add Validation in Getter Functions

function getPrincipal() public view returns (address) {
require(principal != address(0), "Principal not set");
return principal;
}
function getSchoolFeesToken() public view returns (address) {
require(usdc != address(0), "Fee token not set");
return usdc;
}

Implement Setter Functions with Access Control

function setPrincipal(address _principal) public onlyOwner {
require(_principal != address(0), "Invalid address");
principal = _principal;
}
function setUSDC(address _usdc) public onlyOwner {
require(_usdc != address(0), "Invalid address");
usdc = _usdc;
}

Consider Immutability for Critical Variables

If these values should not change after initialization, consider making them immutable for gas optimization and security.

Add Events for Variable Changes

event PrincipalUpdated(address indexed oldPrincipal, address indexed newPrincipal);
event USDCUpdated(address indexed oldUsdc, address indexed newUsdc);
Updates

Lead Judging Commences

yeahchibyke Lead Judge
27 days ago
yeahchibyke Lead Judge 16 days ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
yeahchibyke Lead Judge 16 days ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.