Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Missing session check allows reviews before school session starts

anchabadze

Description:

The giveReview() function in the LevelOne contract lacks a check to verify that the school session has actually started before allowing teachers to give reviews to students. While other functions like expel() properly check that the school is in session, this critical check is missing from the review functionality.

function giveReview(address _student, bool review) public onlyTeacher {
if (!isStudent[_student]) {
revert HH__StudentDoesNotExist();
}
require(reviewCount[_student] < 5, "Student review count exceeded!!!");
require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");
// where `false` is a bad review and true is a good review
if (!review) {
studentScore[_student] -= 10;
}
// Update last review time
lastReviewTime[_student] = block.timestamp;
emit ReviewGiven(_student, review, studentScore[_student]);
}

Impact:

  • Students can receive reviews before the school session officially starts

  • This violates the educational process where reviews should only be given during the active session

  • Students could start the session with unfairly reduced scores

  • Combined with the fact that lastReviewTime[_student] is not initialized and reviewCount[_student] is never incremented, this leads to a situation where a student can receive unlimited reviews, depending only on how many weeks have passed since enrollment.

Recommended Mitigation:

Add a check at the beginning of the giveReview() function to ensure the school is in session

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

session state not updated

`inSession` not updated after during upgrade

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.