Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Uninitialized reviewCount Variable Vulnerability

monteago30

Summary

In the LevelOne.sol contract, the reviewCount mapping is used to track how many reviews each student has received, which is critical for enforcing the invariant that "Students must have gotten all reviews before system upgrade." This mapping is declared as:


mapping(address => uint256) private reviewCount;

Vulnerability Details

The vulnerability arises because when a student enrolls through the enroll() function, their reviewCount value is never explicitly initialized. While Solidity automatically initializes state variables to default values (0 for uint256), this implicit initialization creates several security and maintainability issues.

Improper Tracking: The giveReview() function checks if a student has received fewer than 5 reviews

require(reviewCount[_student] < 5, "Student review count exceeded!!!");

But it never increments the counter after giving a review, rendering this check ineffective.

Missing Explicit Initialization: The enroll() function sets several student properties but fails to explicitly initialize reviewCount:

listOfStudents.push(msg.sender);
isStudent[msg.sender] = true;
studentScore[msg.sender] = 100;
// reviewCount[msg.sender] is not initialized here
bursary += schoolFees;

Graduation Validation Gap: There is no mechanism to verify that students have received exactly 4 reviews before the system upgrade, breaking a key invariant.


Impact

This vulnerability impacts the integrity of the review system in several ways:

  1. Students could potentially receive more than the allowed number of reviews

  2. The graduation process lacks validation that students have completed all required reviews

  3. The system fails to properly track educational progress

  4. Core business logic that relies on accurate review counting is compromised

While this vulnerability doesn't directly result in fund loss, it breaks a fundamental invariant of the educational system, potentially allowing students to graduate without proper assessment or causing some students to be unfairly treated.

Tools Used

manual review

Slither & Aderyn tools used

Recommendations

Explicitly initialize the reviewCount variable in the enroll() function:

function enroll() external notYetInSession {
// Existing checks...
listOfStudents.push(msg.sender);
isStudent[msg.sender] = true;
studentScore[msg.sender] = 100;
reviewCount[msg.sender] = 0; // Add explicit initialization
lastReviewTime[msg.sender] = 0; // Also initialize this value
bursary += schoolFees;
emit Enrolled(msg.sender);
}

Increment the review count in the giveReview() function:

function giveReview(address _student, bool review) public onlyTeacher {
// Existing checks...
// Update student score based on review
if (!review) {
studentScore[_student] -= 10;
}
// Increment the review count
reviewCount[_student]++;
// Update last review time
lastReviewTime[_student] = block.timestamp;
emit ReviewGiven(_student, review, studentScore[_student]);
}

Add validation in the graduateAndUpgrade() function to ensure all students have received exactly 4 reviews:

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
// Existing checks...
// Verify all students have received 4 reviews
for (uint256 i = 0; i < listOfStudents.length; i++) {
require(reviewCount[listOfStudents[i]] == 4, "Not all students have received 4 reviews");
}
// Continue with upgrade logic...
}


Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

monteago30 Submitter
6 months ago
yeahchibyke Lead Judge
6 months ago
yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

reviewCount not updated

`reviewCount` for students is not updated after each review session

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.