bursary Not Updated After Graduation Allows Repeated Payouts
Summary
The graduateAndUpgrade function transfers USDC payouts to teachers and the principal but fails to update the bursary value afterward. This will reflect wrong balance of the system and on future upgrade it will break the upgradation because the USDC transfer will be failed
Vulnerability Details
In the graduateAndUpgrade function, bursary funds are used to calculate and transfer payments:
However, the value of bursary is never updated (i.e., like it should be 60% of old bursary) after funds are transferred. Since bursary tracks the total school fees collected from students, this means that:
Teachers and the principal can potentially be paid again if this function is called again (e.g., before or after upgrade logic is activated).
Even though
_authorizeUpgrade()is present, if the new logic does not explicitly block it or reset values, payouts can happen repeatedly.
Impact
Double payment risk: Anyone who can call or simulate
graduateAndUpgradeagain can cause repeated USDC payouts.Fund depletion: USDC balance might be drained before the upgrade is completed or exploited post-upgrade.
State inconsistency:
bursarycontinues to show a old value even after funds are paid out.
Tools Used
Manual code review and logic analysis.
Recommendations
bursary -= (payPerTeacher + principalPay )
Lead Judging Commences
bursary not updated
The bursary is not updated after wages have been paid in `graduateAndUpgrade()` function
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.