Submission Details
Severity:
Not updating Bursary after graduateAndUpgrade function
Summary
We are not updating bursary after sending usd to teacher and principal
Hence we can keep track of the remaining 60% of the student fees
Vulnerability Details
function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
if (_levelTwo == address(0)) {
revert HH__ZeroAddress();
}
uint256 totalTeachers = listOfTeachers.length;
uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;
uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;
_authorizeUpgrade(_levelTwo);
for (uint256 n = 0; n < totalTeachers; n++) {
usdc.safeTransfer(listOfTeachers[n], payPerTeacher);
}
usdc.safeTransfer(principal, principalPay);
}
-
you can see that the usdc is transfered but the bursary is not modified to the correct value i.e it should be like below
function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {if (_levelTwo == address(0)) {revert HH__ZeroAddress();}uint256 totalTeachers = listOfTeachers.length;uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;_authorizeUpgrade(_levelTwo);for (uint256 n = 0; n < totalTeachers; n++) {usdc.safeTransfer(listOfTeachers[n], payPerTeacher);}usdc.safeTransfer(principal, principalPay);bursary -= (payPerTeacher * totalTeachers) + principalPay;}
Impact
cant track the remaining 60% of the amount
Tools Used
brain
Recommendations
add get function for bursary and update the graduateAndUpgrade contract as a above
Updates
Lead Judging Commences
yeahchibyke 6 months ago
Submission Judgement Published Assigned finding tags:
bursary not updated
The bursary is not updated after wages have been paid in `graduateAndUpgrade()` function
yeahchibyke 6 months ago
Submission Judgement Published Assigned finding tags:
bursary not updated
The bursary is not updated after wages have been paid in `graduateAndUpgrade()` function
Rewards breakdown
nSLOC
243This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.