Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Failure to Verify 4 Reviews per Student in `graduateAndUpgrade` Function

mahdi811

Summary

The graduateAndUpgrade function in LevelOne.sol does not check whether all students have received exactly 4 reviews before upgrading the system, violating the project's invariant that system upgrades should not occur if any student has not received 4 reviews (one per week).

Vulnerability Details

According to the project invariants, students must have received all 4 reviews (one for each week) before the system can be upgraded. However, the graduateAndUpgrade function does not verify the reviewCount for each student in listOfStudents. This allows the principal to upgrade the system even if some students have fewer than 4 reviews, bypassing the required review process.

Relevant code in graduateAndUpgrade:

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
if (_levelTwo == address(0)) {
revert HH__ZeroAddress();
}
uint256 totalTeachers = listOfTeachers.length;
uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;
uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;
_authorizeUpgrade(_levelTwo);
for (uint256 n = 0; n < totalTeachers; n++) {
usdc.safeTransfer(listOfTeachers[n], payPerTeacher);
}
usdc.safeTransfer(principal, principalPay);
}

No condition checks reviewCount[_student] == 4 for each student, violating the invariant.

Impact

  • Impact: High
    This vulnerability severely disrupts protocol functionality by allowing the system to upgrade without ensuring all students have completed their required 4 reviews. This can lead to unfair graduation outcomes, as students with incomplete reviews may be incorrectly evaluated or upgraded, undermining the protocol's core logic and fairness. No direct financial loss occurs, but the integrity of the system is significantly compromised.

  • Likelihood: Medium
    Exploitation depends on the principal calling graduateAndUpgrade before all students have received 4 reviews, which could happen intentionally or due to an error. The likelihood is moderate, as it requires specific conditions (e.g., incomplete reviews) but is feasible during normal operation.

Tools Used

  • Manual code analysis

Recommendations

Add a check to ensure all students have received exactly 4 reviews before allowing the upgrade. Suggested code modification:

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
if (_levelTwo == address(0)) {
revert HH__ZeroAddress();
}
// Check that all students have 4 reviews
for (uint256 i = 0; i < listOfStudents.length; i++) {
require(reviewCount[listOfStudents[i]] == 4, "Incomplete student reviews");
}
uint256 totalTeachers = listOfTeachers.length;
uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;
uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;
_authorizeUpgrade(_levelTwo);
for (uint256 n = 0; n < totalTeachers; n++) {
usdc.safeTransfer(listOfTeachers[n], payPerTeacher);
}
usdc.safeTransfer(principal, principalPay);
}

This ensures the upgrade adheres to the invariant that all students must have 4 reviews.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

cut-off criteria not applied

All students are graduated when the graduation function is called as the cut-off criteria is not applied.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.