Missing Session End Validation Permits Premature Fund Distribution and Contract Upgrades
Summary
A critical vulnerability allows the principal to prematurely distribute funds and upgrade the contract before the academic session concludes, violating the protocol's requirement that upgrades occur only after the session officially ends.
Vulnerability Details
The graduateAndUpgrade function lacks validation against the session end time (sessionEnd), enabling execution while:
The session is still active (
inSession == true).Student reviews may still be ongoing.
Final scores are not yet finalized.
Affected Code:
Risk:
Even though restricted to the principal, the function can be mistakenly or intentionally called before the session ends, bypassing critical timing safeguards.
Impact
Premature Fund Distribution: Teachers and the principal can withdraw bursary funds before the session concludes.
Invalid Graduations: Students may graduate without completing mandatory reviews or achieving finalized scores.
Protocol Instability: Upgrades during an active session could disrupt ongoing operations.
Tools Used
Manual code analysis.
Recommendations
Add a time validation check to enforce upgrades only after the session ends:
Lead Judging Commences
can graduate without session end
`graduateAndUpgrade()` can be called successfully even when the school session has not ended
can graduate without session end
`graduateAndUpgrade()` can be called successfully even when the school session has not ended
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.