Submission Details
Severity:
`LevelOne.reviewCount` is never properly updated when students get their reviews, which could result in too many reviews for the students and break the variant.
Summary
The LevelOne contract tracks how many reviews each student receives using reviewCount, but this value is never updated when a review is assigned.
Vulnerability Details
Impact
Students may receive more reviews than allowed, breaking the invariant that every student should receive 4 reviews.
Tools Used
We include the following test case to demonstrate the students could get 5 reviews.
function test_studentCanReceiveMoreThanFourReviews() public schoolInSession{
// fast-forward time to ensure reviews are allowed
uint256 numOfReviews = 0;
for (uint256 i = 0; i < 10; i++) {
// If sessionEnd is over, break the loop
if (block.timestamp > levelOneProxy.sessionEnd()) {
break;
}
vm.warp(block.timestamp + 1 weeks);
vm.prank(alice);
levelOneProxy.giveReview(harriet, true); // should only be allowed 4 times
numOfReviews++;
}
console2.log("Number of reviews given: ", numOfReviews);
// 5th call *should have failed*, but it doesn't because reviewCount is never updated
// If invariant worked, the 5th call would revert
}
Recommendations
Add this line in LevelOne::giveReview after the requirement checks.
+ reviewCount[_student]++;
Updates
Lead Judging Commences
yeahchibyke 6 months ago
Submission Judgement Published Assigned finding tags:
reviewCount not updated
`reviewCount` for students is not updated after each review session
yeahchibyke 6 months ago
Submission Judgement Published Assigned finding tags:
reviewCount not updated
`reviewCount` for students is not updated after each review session
Rewards breakdown
nSLOC
243This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.