Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: medium
Invalid

Missing Role-Based Access Control

mustaphaabdulaziz00

Summary

The LevelTwo smart contract tracks roles such as principal, teacher, and student using state variables (principal, isTeacher, isStudent) but does not enforce any access restrictions using these roles. This creates a significant security gap for any functions that may later depend on role-specific logic—such as modifying student scores, starting sessions, or distributing bursaries—because there are no protections preventing unauthorized users from calling them.

If left unresolved, this will lead to unrestricted access, privilege escalation, and loss of control over the intended role-based logic.

Vulnerability Details

Roles Defined:

principal: address public principal

teacher: mapping(address => bool) public isTeacher

student: mapping(address => bool) public isStudent

Issue: No functions currently enforce or check these roles for permissioned actions.

Implication: Any logic added in the future (e.g., updating scores, approving bursaries) will be insecure unless access controls are retrofitted.

Impact

Any user can interact with critical state functions, impersonating a teacher or principal.

// Future logic is vulnerable if not protected
function updateScore(address student, uint256 score) public {
studentScore[student] = score; // Anyone could call this!
}

Tools Used

Recommendations

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Too generic
yeahchibyke Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.