Incorrect Bursary Balance After Payments in School Contract
Summary
When the system upgrades to level two via the graduateAndUpgrade() function, the amounts paid to teachers and the principal are transferred out in USDC tokens, but the contract's bursary state variable is not reduced accordingly. This results in an inflated and incorrect bursary balance being carried over to the Level Two contract.
Vulnerability Details
In the graduateAndUpgrade() function, after calculating payPerTeacher and principalPay, the function proceeds to transfer these amounts using usdc.safeTransfer(). However, there are no corresponding lines of code that subtract (payPerTeacher * totalTeachers) and principalPay from the contract's bursary state variable.
Impact
Misleading State Variable: The
bursarystate variable in Level Two will not accurately reflect the actual USDC balance available for Level Two operations.Broken Invariant: It breaks the invariant that the
bursaryvariable represents the funds allocated or remaining for the current/next operational phase.
Tools Used
Recommendations
Implement these code to graduateAndUpgrade()
Lead Judging Commences
bursary not updated
The bursary is not updated after wages have been paid in `graduateAndUpgrade()` function
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.