Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

[H-04] Principal Can Maliciously Expel Students After Session Ends, Blocking Legitimate Graduation

0xshaedyw

Summary

The expel() function allows the principal to remove students even after the session ends, potentially preventing qualified students (those meeting cutOffScore) from graduating despite fulfilling all requirements.

Vulnerability Details

Location

File: levelOne.sol
Function: expel(address _student)

Critical Issues

Incorrect Session Check: Current check if (inSession == false) only prevents expulsions BEFORE session starts, not AFTER
No Graduation Protection: Students can be removed after completing all requirements but before upgrade
Trust Breakdown: Principal has unilateral power to block student progression

Proof of Concept

Test Case:

function test_malicious_principal_blocks_graduation_by_late_expulsion() public {

// 1. Student enrolls and pays fees

address newStudent = makeAddr("new_student");

deal(address(usdc), newStudent, 10_000e18);

vm.prank(newStudent);

usdc.approve(address(levelOneProxy), schoolFees);

vm.prank(newStudent);

levelOneProxy.enroll();

// 2. Principal starts session then immediately expels

vm.startPrank(principal);

levelOneProxy.startSession(70);

// 3. Fast-forward to session end

vm.warp(block.timestamp + 4 weeks);

levelOneProxy.expel(newStudent);

vm.stopPrank();

// 4. Verify student was wrongfully removed

assertFalse(levelOneProxy.isStudent(newStudent));

assertEq(levelOneProxy.getTotalStudents(), 0);

}

Test Result:

Ran 1 test for test/LevelOneAndGraduateTest.t.sol:LevelOneAndGraduateTest

[PASS] test_malicious_principal_blocks_graduation_by_late_expulsion() (gas: 424253)

Logs:

Enrollment succesful

Student has been removed

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 8.12ms (3.24ms CPU time)

Impact

High Severity because:

Allows principal to censor specific students arbitrarily
Undermines trust in the decentralized education system

Tools Used

Foundry (forge test)
Manual analysis of state transitions

Recommendations

Implement Dual Session Check:

function expel(address _student) public onlyPrincipal {

require(inSession, "Can only expel during active session");

// ... existing logic ...

}

Updates

Lead Judging Commences

yeahchibyke Lead Judge

27 days ago

yeahchibyke Lead Judge 16 days ago

Submission Judgement Published

Validated

Assigned finding tags:

can expel unfairly before upgrade

Principal can unfairly expel a student before upgrade

Appeal created

mishoko Auditor

14 days ago

yeahchibyke Lead Judge

13 days ago

yeahchibyke Lead Judge 13 days ago

Submission Judgement Published

Validated

Assigned finding tags:

can expel unfairly before upgrade

Principal can unfairly expel a student before upgrade

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.