[L-1] `enroll()` breaks CEI pattern but is not currently exploitable
Summary
The LevelOne.enroll() function violates the Checks-Effects-Interactions (CEI) pattern by performing an external call to usdc.safeTransferFrom() before updating internal state variables such as isStudent[msg.sender]. While this would normally be a reentrancy risk, it is not exploitable in the current deployment, as the USDS token is a standard ERC20 implementation.
Standard ERC20 tokens, including USDS, do not invoke external calls during transferFrom(), which means that even if a user calls enroll() through a contract, no reentrant behavior can occur unless a non-standard or malicious token is introduced.
Impact
None in the current context. However, if the protocol ever migrates to a token with external hooks (e.g., ERC777 or a maliciously crafted ERC20), the current pattern would allow reentrancy.
Tools Used
Manual review
Recommendations
Follow the CEI pattern strictly by updating internal state before performing external calls.
Optionally, add the
nonReentrantmodifier toenroll()as a preventive safeguard.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.