Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: medium
Invalid

Students can get 5 reviews in one school session

bavoen

Summary

According to the documentation students should only receive one review per week. The documentation also states that a school session lasts 4 weeks. We can safely assume that means that students should not receive more than 4 reviews in one school session.

This is confirmed by the following entry in the documentation:

Students must have gotten all reviews before system upgrade. System upgrade should not occur if any student has not gotten 4 reviews (one for each week)

There is also a validation for the number of received reviews but it is implemented incorrectly and allows students to receive 5 reviews in one school session.

Vulnerability Details

The vulnerability is located in the reviewStudent function of the LevelOne contract.

function giveReview(address _student, bool review) public onlyTeacher {
if (!isStudent[_student]) {
revert HH__StudentDoesNotExist();
}
require(reviewCount[_student] < 5, "Student review count exceeded!!!");
require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");
[...]

The first require statement checks if the student has received less than 5 reviews. This is incorrect and should be changed to check if the student has received less than 4 reviews since we are trying to add a new review.

POC: the following test should fail but it does not:

function test_can_only_review_four_times() public schoolInSession {
// give 4 reviews to the student
for (uint256 i = 0; i < 4; i++) {
vm.warp(block.timestamp + 1 weeks);
vm.prank(alice);
levelOneProxy.giveReview(harriet, false);
}
// try to give a 5th review
vm.warp(block.timestamp + 1 weeks);
vm.prank(alice);
vm.expectRevert("Student review count exceeded!!!");
levelOneProxy.giveReview(harriet, false);
vm.stopPrank();
}

Impact

The contract allows teachers to give students 5 reviews in one school session. This is a violation of the documentation and can lead to unexpected results.

Since reviews can decrease the score of a student, this can lead to students not graduating even tough they would not be in danger of failing if they would have received only 4 reviews.
A teacher could exploit this vulnerability to give a student 5 reviews to decrease their score more than allowed.

Tools Used

Manually reviewed the code and the documentation.

Recommendations

The require statement should be changed to check if the student has received less than 4 reviews instead of 5.

function giveReview(address _student, bool review) public onlyTeacher {
if (!isStudent[_student]) {
revert HH__StudentDoesNotExist();
}
- require(reviewCount[_student] < 5, "Student review count exceeded!!!");
+ require(reviewCount[_student] < 4, "Student review count exceeded!!!");
require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");
[...]
Updates

Lead Judging Commences

yeahchibyke Lead Judge 16 days ago
Submission Judgement Published
Validated
Assigned finding tags:

reviewCount not updated

`reviewCount` for students is not updated after each review session

Appeal created

yeahchibyke Lead Judge 13 days ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.