Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

[H-2] Missing checks when upgrading the contract

kocetovelev12

Summary

In the requirements we have a specific invariants that the protocol must complies. However we don't have any checks related with these requirements which can lead to upgrade the protocole with wrong state.

Impact

The protocol can be updated even if the requirements to be upgradeable are not satisfied.

Tools Used

Manual Review

Recommendations

Add check for every single point of the requirements

  • Students must have gotten all reviews before system upgrade. System upgrade should not occur if any student has not gotten 4 reviews (one for each week)

  • Any student who doesn't meet the cutOffScore should not be upgraded

  • System upgrade cannot take place unless school's sessionEnd has reached

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
if (_levelTwo == address(0)) {
revert HH__ZeroAddress();
}
+ if (block.timestamp <= sessionEnd) {
+ revert();
+ }
+
+ for (uint256 i = 0; i < listOfStudents.lenght; i++) {
+ if (reviewCount[listOfStudents[i]] < 4) {
+ revert();
+ }
+ uint256 score = studentScore(listOfStudents[i]);
+ if (score < cutOffScore) {
+ listOfStudents[i] = listOfStudents[studentLength - 1];
+ listOfStudents.pop();
+ }
+ }
...code...
Updates

Lead Judging Commences

yeahchibyke Lead Judge
7 months ago
yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

cut-off criteria not applied

All students are graduated when the graduation function is called as the cut-off criteria is not applied.

can graduate without session end

`graduateAndUpgrade()` can be called successfully even when the school session has not ended

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.