Failure to Increment `reviewCount` in `giveReview` Function
Summary
The giveReview function in LevelOne.sol does not increment the reviewCount variable, allowing teachers to submit an unlimited number of reviews for a student, violating the project's invariant that each student should receive exactly 4 reviews (one per week).
Vulnerability Details
In the giveReview function, the following condition checks that a student's review count is less than 5:
However, the function does not increment reviewCount[_student] after a review is submitted. As a result, reviewCount remains zero, bypassing the restriction and allowing teachers to submit unlimited reviews for a student. This violates the invariant that students should receive exactly 4 reviews during a 4-week session.
Impact
Impact: Medium
This vulnerability indirectly impacts the protocol by allowing teachers to unfairly reduce a student's score through excessive negative reviews, potentially preventing qualified students from graduating or disrupting the fairness of the system. No direct financial loss occurs.Likelihood: High
Exploitation is straightforward; a malicious teacher can repeatedly submit reviews for a student without restriction, as thereviewCountcheck is ineffective.
Based on the Impact vs Likelihood matrix, a Medium Impact with High Likelihood results in a Medium severity rating.
Tools Used
Manual code analysis
Solidity IDE (for contract review)
Recommendations
To fix this vulnerability, increment reviewCount[_student] in the giveReview function. Suggested code:
Additionally, consider updating the condition to reviewCount[_student] < 4 to align with the project's 4-review limit.
Lead Judging Commences
reviewCount not updated
`reviewCount` for students is not updated after each review session
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.