Summary

The graduateAndUpgrade() function calculates teacher compensation as a fixed portion of the bursary, but incorrectly distributes the entire 35% share to every teacher individually, rather than dividing it among all teachers. This results in either overpayment or transaction reversion if the bursary balance is insufficient to cover the mistake.

Vulnerability Details

The following line calculates what is meant to be each teacher's share:

However, payPerTeacher actually represents the entire teacher pool (35% of the bursary). It is then paid out to each teacher in this loop:

This results in:

• An incorrect total payout of payPerTeacher × totalTeachers,

• Contract reversion due to insufficient funds,

• Or silent overpayment if not all funds are accounted.

Example:

If bursary = 1000 USDC and there are 3 teachers:

• payPerTeacher = 350

• Total payout = 3 × 350 = 1050 USDC
  → More than bursary → Reverts on transfer

Impact

Upgrade process fails with more than 2 teachers.

• Teachers receive more than intended.

• Funds may be locked or misallocated.

• Contract violates the documented rule that teachers receive 35% of the bursary total.

Tools Used

Manual code review

Recommendations

Fix the logic by first computing the total teacher pool and then dividing it by the number of teachers:

Also consider:

• Emitting an event per payout (optional for traceability)

• Handling zero teachers edge case