Incorrect calculation of `payPerTeacher` leads to overpaying the teachers and a possible revert.
Summary
payPerTeacher is intended to be what each teacher receives. However, in fact, it represents the entire value that the teachers should get in total.
Vulnerability Details
The calculation of payPerTeacher is the following:
(bursary * TEACHER_WAGE) / PRECISION;
A bursary is the sum of all the fees that students pay when joining. TEACHER_WAGE is 35%. Hence, this calculation represents 35% of the bursary, which is the total that all the teachers get altogether. However, as we can see later in the code, each teacher gets this 35% of the entire bursary:
Impact
This leads to several impacts:
Teachers are overpaid. For example, if there are 4 teachers, each of them has to get 25% of the entire teacher share. Which means that 35% share needs to be divided into 4 pieces.
This can lead to a revert if there are too many teachers. For example, there are 4 teachers and 1 student. The school fee is 100 (for the sake of simplicity).
payPerTeacheris 35. Hence, we need to pay out 4*35 = 130, while there are only 100 tokens in the contract, which will lead to a revert.Breaking the invariant:
teachersshare of 35% of bursary
Tools Used
Manual review
Recommendations
Divide the payPerTeacherinto smaller shares, so each teacher gets an equal share of payPerTeacher
Lead Judging Commences
incorrect teacher pay calculation
`payPerTeacher` in `graduateAndUpgrade()` is incorrectly calculated.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.