Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: low
Invalid

Blocklisted teacher address (or principal) can prevent all wage payments and system upgrade

anchabadze

Description:

The graduateAndUpgrade() function in the LevelOne contract transfers USDC to all teachers and the principal in a single transaction. If any of these addresses are blocklisted by the USDC contract, the entire transaction will revert.

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
// ...
for (uint256 n = 0; n < totalTeachers; n++) {
usdc.safeTransfer(listOfTeachers[n], payPerTeacher);
}
usdc.safeTransfer(principal, principalPay);
}

It prevents all teachers from receiving their wages and blocking the system upgrade process.

Impact:

  • A single blocklisted teacher (or principal) address can prevent all wage payments to all teachers and the principal

  • The system upgrade process will be completely blocked, preventing the school from progressing to the next level

  • This creates a denial-of-service vulnerability that could permanently freeze the protocol's upgrade mechanism

  • The school would be unable to complete its session cycle as designed

Recommended Mitigation:

Implement a pull-payment pattern instead of pushing payments to all teachers in a single transaction

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.