Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Review Count Validation Before Upgrade

0x_martonyx

Summary

Students who haven't completed all required reviews can avoid penalties and potentially graduate without meeting requirements.

Vulnerability Details

Each student must receive exactly 4 reviews (one per week).
Defaulting in a review should reduce their score by 10 points (as per giveReview() logic).
The graduateAndUpgrade() function does not verify whether each student has received the required 4 weekly reviews before processing graduations. This allows:
Students who defaulted on reviews to still graduate if they meet the score cutoff.

Impact

The system to bypass the intended penalty mechanism (score deductions for missed reviews).

Tools Used

foundry Tests

Recommendations

Add a validate condition to check each students' Count

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
// Validate basic upgrade conditions
_validateUpgradeConditions(_levelTwo);
///...
}
function _validateUpgradeConditions(address _levelTwo) private view {
if (_levelTwo == address(0)) revert HH__ZeroAddress();
if (block.timestamp < sessionEnd) revert HH__SessionNotEnded();
// Check all students have complete reviews
uint256 studentCount = listOfStudents.length;
for (uint256 i = 0; i < studentCount; i++) {
if (reviewCount[listOfStudents[i]] < 4) {
revert HH__PendingReviews();
}
}
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

cut-off criteria not applied

All students are graduated when the graduation function is called as the cut-off criteria is not applied.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.