Hawk High

Description:

The LevelTwo contract contains an empty graduate() function marked with the reinitializer(2) modifier. This function is intended to be called during the upgrade process from LevelOne to LevelTwo to initialize the new implementation contract and transfer necessary state data.

Without proper initialization logic in this function, critical state data from LevelOne (including student records, teacher information, scores, and other state variables) will not be transferred to the new implementation. The reinitializer(2) modifier ensures this function can only be called once during the upgrade, but the function itself lacks any implementation to properly handle the state transition.

Attack path:

• The principal calls graduateAndUpgrade() in LevelOne to upgrade to LevelTwo

• The upgrade process executes successfully, changing the implementation address in the proxy

• The empty graduate() function in LevelTwo is called but performs no initialization

• All state data that should have been explicitly transferred or reconfigured is lost

• The new implementation starts with default values for all state variables not explicitly stored in the proxy's storage slots

Impact:

• Complete loss of student and teacher data that requires explicit transfer

• Loss of any state variables that have different storage layouts between implementations

• School operations become non-functional after upgrade as critical data is missing

• Students who should have graduated based on their scores cannot be properly identified

• Invariant are not hold:

  • Any student who doesn't meet the cutOffScore should not be upgraded

  • remaining 60% (of the bursary )should reflect in the bursary after upgrade

Recommended Mitigation:

Implement proper state transfer logic in the graduate() function including cutOffScorestudent's filter