Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: low

Invalid

DOS on graduateAndUpgrade() if one of the teachers has his address unable to receive USDC (blacklisted)

0xziin

Summary

Deny Of Service on graduateAndUpgrade() if one of the teachers has his address unable to receive USDC (address blacklisted by the USDC contract/Circle)

Vulnerability Details

If one of the teacher is not able to receive USDC example : blacklisted by Circle, then the execution will always
fail and there will be no way to graduate and upgrade.

https://github.com/CodeHawks-Contests/2025-05-hawk-high/blob/main/src/LevelOne.sol#L307-L309

for (uint256 n = 0; n < totalTeachers; n++) {

usdc.safeTransfer(listOfTeachers[n], payPerTeacher);

}

Impact

Unable to graduate & upgrade. Teachers won't be paid nor the principal. Funds won't be recoverable.

Tools Used

Github, Manual review.

Recommendations

Should implement a function to change a teacher's address so if he is unable to receive USDC with his actual one he can just use another one and be paid.
Another solution would be to check if the transaction succeeds, if not just swap USDC to DAI or swap USDC to WrapETH and send those tokens instead.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.