Hawk High

Summary

The graduateAndUpgrade function in LevelOne.sol incorrectly calculates teacher payments, attempting to pay each teacher 35% of the bursary instead of dividing the 35% share among all teachers, potentially leading to excessive payouts and depletion of the protocol's funds.

Vulnerability Details

According to the project invariants, teachers should collectively receive 35% of the bursary as their wages, shared among all teachers. However, in the graduateAndUpgrade function, the payment per teacher is calculated as:

where TEACHER_WAGE = 35 and PRECISION = 100, meaning each teacher is paid 35% of the entire bursary. The function then transfers this amount to each teacher in a loop:

This results in a total payout of 35% * totalTeachers, which could far exceed the intended 35% allocation. For example, with 5 teachers, the function attempts to pay 175% of the bursary, violating the invariant and risking depletion of funds.

Impact

• Impact: High
  This vulnerability directly puts funds at risk, as it can lead to excessive payouts that deplete the bursary, potentially causing the transaction to revert or leaving insufficient funds for the principal's 5% wage and the 60% reserve for LevelTwo. This severely disrupts the protocol's financial integrity and functionality.

• Likelihood: High
  Exploitation is straightforward and automatic whenever graduateAndUpgrade is called with multiple teachers, as the incorrect calculation is embedded in the function's logic. No malicious intent is required, making it highly likely to occur during normal operation.

Tools Used

• Manual code analysis

Recommendations

Correct the teacher payment calculation to divide the 35% share among all teachers. Suggested code modification:

This ensures the total teacher payout equals 35% of the bursary, divided equally among all teachers, and prevents excessive fund transfers.