First review can be given immediately due to uninitialized timestamp
Description:
In the giveReview() function, there is a check to ensure that reviews can only be given once per week:
However, when a student first enrolls, their lastReviewTime[_student] value is initialized to the default value of 0. This means that the condition block.timestamp >= lastReviewTime[_student] + reviewTime will always be true for the first review, regardless of when it's given.
Impact:
Teachers can give the first review to a student immediately after enrollment, due to another vulnerability where there is no strict requirement that reviews can only be given after the session has started.
Depending on the time between the student's enrollment and the official start of the session, the student may receive as many additional reviews as the number of weeks that pass between enrollment and the session's end.
If combined with the missing review counter increment, this could allow multiple reviews to be given in quick succession
This vulnerability undermines the time-based constraints of the review system and could lead to unfair evaluation of students.
Recommended Mitigation:
Initialize the lastReviewTime = block.timestamp for all students in startSession() function
Combined with restriction to prevent teachers to review students before session started.
Lead Judging Commences
session state not updated
`inSession` not updated after during upgrade
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.