Missing CutOff Score Validation in Upgrade Allows Underperforming Students to Graduate
Summary
The graduateAndUpgrade function does not validate whether students meet the cutOffScore before allowing system upgrades. This violates the invariant that only students with scores ≥ cutOffScore should progress.
Vulnerability Details
Key Issues:
-
No Score Checks During Upgrade:
The
graduateAndUpgradefunction lacks logic to verifystudentScore[student] >= cutOffScore.Example: A student with a score of 50 (below a
cutOffScoreof 70) will still be included in the upgrade.
Impact
Invalid Graduations: Students below the
cutOffScorecan graduate, undermining academic standards.Protocol Integrity Loss: The system fails to enforce its core eligibility rule, eroding trust.
Tools Used
Manual code review
Recommendations
Add CutOff Validation in
graduateAndUpgrade. Note that you cannot directly iterate over the student list to check if they meet the cut off since this will lead to a Dos if the array gets too big, I recommend adding a state to the contract that checks if all student score has been validated. This state will be toggoled by a function that allows this validation to occur in batches.
Lead Judging Commences
cut-off criteria not applied
All students are graduated when the graduation function is called as the cut-off criteria is not applied.
cut-off criteria not applied
All students are graduated when the graduation function is called as the cut-off criteria is not applied.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.