Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: low
Invalid

DOS on RemoveTeacher() and expel() if listOfTeachers.length or listOfStudents.length is too high

0xziin

Summary

Deny Of Service on RemoveTeacher() and expel() if listOfTeachers.length is too high.

Vulnerability Details

https://github.com/CodeHawks-Contests/2025-05-hawk-high/blob/main/src/LevelOne.sol#L220-L241

uint256 teacherLength = listOfTeachers.length;
for (uint256 n = 0; n < teacherLength; n++) {
if (listOfTeachers[n] == _teacher) {
listOfTeachers[n] = listOfTeachers[teacherLength - 1];
listOfTeachers.pop();
break;
}
}

If listOfTeachers.length is too high (meaning there is too much teachers added to the table)
then because of the loop, the execution will exceed the gas limit and the function will always fail.

Same with expel() if there is too much students (listOfStudents.lengt is too high)

https://github.com/CodeHawks-Contests/2025-05-hawk-high/blob/main/src/LevelOne.sol#L243-L267

uint256 studentLength = listOfStudents.length;
for (uint256 n = 0; n < studentLength; n++) {
if (listOfStudents[n] == _student) {
listOfStudents[n] = listOfStudents[studentLength - 1];
listOfStudents.pop();
break;
}
}

Impact

Deny Of Service, the transaction will fail because it will exceed the gas limit.
No possibility to remove a teacher nor expel.

Tools Used

Github, Manual review.

Recommendations

The number of students and teachers should be limited to a certain amount to avoid exceeding the gas limit.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.