Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

reviewCount Not Incremented in giveReview Function

linxun

Summary

The giveReview function in the LevelOne contract checks if a student's reviewCount is less than 5, but this counter is never incremented after a review is given. As a result, while the weekly time restriction works correctly, the total review limit of 5 is ineffective, allowing students to receive an unlimited number of reviews over time.

Vulnerability Details

In the LevelOne contract, the giveReview function contains the following check:

// @audit-medium `reviewCount` not initialized and change after review, can be review multiple time
require(reviewCount[_student] < 5, "Student review count exceeded!!!");
require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");

The issue here is that while there is a check limiting the total number of reviews to 5, the reviewCount variable is never incremented after a review is given:

When a review is given, only the lastReviewTime mapping is updated:

// Update last review time
lastReviewTime[_student] = block.timestamp;

While the time restriction correctly limits reviews to one per week, the total review count restriction is completely ineffective since the counter never increases. This means a student could potentially receive an unlimited number of reviews (one per week indefinitely), when the intent appears to be a maximum of 5 total reviews.

Impact

This vulnerability has several impacts:

  1. The 5-review limit is completely ineffective

  2. Students can receive an unlimited number of reviews over time

  3. Students with more negative reviews could have their scores continuously reduced below what should be possible

  4. There's no reliable way to track how many reviews a student has actually received

  5. The invariant requiring exactly 4 reviews before graduation cannot be enforced

This is assessed as Medium severity because it breaks core functionality of the review system and can lead to unfair treatment of students. Additionally, it undermines the invariant that students must receive exactly 4 reviews before system upgrade.

Tools Used

Manual code review

Recommendation

Update the giveReview function to properly track the number of reviews a student has received:

function giveReview(address _student, bool review) public onlyTeacher {
if (!isStudent[_student]) {
revert HH__StudentDoesNotExist();
}
// Ensure student hasn't exceeded the maximum number of reviews
require(reviewCount[_student] < 5, "Student review count exceeded!!!");
require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");
// where `false` is a bad review and true is a good review
if (!review) {
studentScore[_student] -= 10;
}
// Update last review time
lastReviewTime[_student] = block.timestamp;
// Increment the review count
reviewCount[_student] += 1;
emit ReviewGiven(_student, review, studentScore[_student]);
}

Additionally, initialize the reviewCount mapping when students enroll:

function enroll() external notYetInSession {
// Existing code...
listOfStudents.push(msg.sender);
isStudent[msg.sender] = true;
studentScore[msg.sender] = 100;
reviewCount[msg.sender] = 0; // Initialize review count
bursary += schoolFees;
emit Enrolled(msg.sender);
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

reviewCount not updated

`reviewCount` for students is not updated after each review session

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.