Hawk High

Summary

The LevelOne and LevelTwo Hawk High School contracts implement a highly centralised governance model in which a single principal address exercises unilateral control over the system. This design undermines trust assumptions typically expected in decentralised environments and introduces risks of abuse, censorship, or rug pulls.

Vulnerability Details

The contract assigns full administration to a single externally owned account designated as the principal. The principal can:

• Add or remove teachers at will (addTeacher, removeTeacher)

• Start school session and set the cutOffScore for graduation (startSession)

• Expel students without oversight (expel)

• Change key economic parameters like bursary distribution

• Call the (_graduateAndUpgrade) function to trigger a UUPS upgrade to any arbitrary logic contract

• Receive a fixed percentage (5%) of the bursary as a "principal wage" during graduation payouts and make themselves a teacher to receive further "teacher wage" (35%) from the bursary.

After upgrade, the LevelTwo contract preserves this centralised control pattern, with no decentralisation or governance mechanism, introduced. The principal still controls the new logic contract.

Impact

This centralisation exposes the system to several risks:

• Single point of failure: If the principal's private key is compromised or misused, the entire system becomes vulnerable.

• Unchecked upgrades: The principal can upgrade the contract logic to malicious code via UUPS without community or multi-sig approval.

• Censorship and Abuse: Students or teachers can be removed without recourse therefore undermining the system's integrity.

• Economic exploitation: The principal may remove teachers before graduation to maximise their own share of the bursary.

Impact Classification: Medium

Likelihood Classification: High

While this issue may not lead to immediate fund loss, it undermines the system's integrity, trust, and resilience - especially dangerous if this contract is intended to simulate decentralised governance.

Tools Used

• Manual review of privilege modifiers and business logic

• Foundry test

Proof of Concept:

Adding the below code to the LeveOnelAndGraduateTest.t.sol file demonstrates principal receiving all the wages:

Recommendations

• Introduce multi-signature governance, role-based access control, or a DAO-style governance mechanism to make administrative decisions.

• Require time delays and community approval, e.g. timelock or on-chain voting, for upgrades via the UUPS proxy.

• Consider access controls that separate operational roles, e.g principal vs admin, and limit unilateral actions.

• Publish upgrade plans and governance changes to ensure transparency.