Incorrect Calculation of payPerTeacher Causes Overpayment from Bursary
Summary
The payPerTeacher amount is miscalculated in the graduateAndUpgrade function. It distributes 35% of the bursary to each teacher instead of distributing 35% across all teachers, leading to a potential full depletion (or overdraw) of funds
Vulnerability Details
uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;
calculates the teacher payout as a flat portion of the entire bursary (e.g., 35%) for each teacher, instead of dividing it equally among all teachers.
If bursary = 1000 USDC, TEACHER_WAGE = 3.5e17 (35%), and there are 2 teachers:
Each teacher gets 350 USDC
Total sent = 700 USDC
But if there are 10 teachers: total sent = 3500 USDC, which exceeds the bursary.
Impact
The contract could transfer more USDC than intended, leaving nothing or little for the principal.
In extreme cases, the function may fail if the contract doesn't have enough USDC to cover all payments.
This could lead to unfair payment distribution or blocked upgrades.
Tools Used
Manual code review and basic calculator for percentage verification.
Recommendations
Lead Judging Commences
incorrect teacher pay calculation
`payPerTeacher` in `graduateAndUpgrade()` is incorrectly calculated.
incorrect teacher pay calculation
`payPerTeacher` in `graduateAndUpgrade()` is incorrectly calculated.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.