Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Missing Review Counter Increment in giveReview Function

khalidwalid

Severity: High

Likelihood: High

Summary

The giveReview function in the LevelOne contract contains a critical vulnerability where it checks if a student's review count is less than 5 but never actually increments the counter. This bypasses a crucial access control mechanism intended to limit the number of reviews a student can receive.

Vulnerability Details

In the giveReview function, there is a check:

require(reviewCount[_student] < 5, "Student review count exceeded!!!");

However, after this check passes, the function fails to increment the reviewCount[_student] value. This means:

  1. The reviewCount[_student] value will always remain at its initial value of 0

  2. The check will always pass regardless of how many times a teacher reviews a student

  3. A student could potentially receive unlimited reviews, as opposed to the intended limit of 5

This nullifies the protection mechanism intended to limit teacher influence on student scores.

Impact

The impact of this vulnerability is high because:

  1. Teachers can give unlimited negative reviews to a specific student, potentially reducing their score to 0 and ```there is no session check to stop more than 4 reviews```

  2. This breaks the intended system balance where student scores should be influenced by a maximum of 5 reviews

  3. Malicious teachers could target specific students disproportionately

  4. The absence of a functioning review count creates an unpredictable and inequitable review system

Code Reference

function giveReview(address _student, bool review) public onlyTeacher {
if (!isStudent[_student]) {
revert HH__StudentDoesNotExist();
}
require(reviewCount[_student] < 5, "Student review count exceeded!!!");
require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");
// where `false` is a bad review and true is a good review
if (!review) {
studentScore[_student] -= 10;
}
// Update last review time
lastReviewTime[_student] = block.timestamp;
emit ReviewGiven(_student, review, studentScore[_student]);
}

Proof of Concept

  1. A teacher calls giveReview for student A with a negative review

  2. The reviewCount[studentA] check passes since it's 0 (default value)

  3. The student score is reduced by 10 points

  4. The reviewCount[studentA] remains at 0

  5. The same teacher can repeatedly call giveReview (once per week due to the time check) indefinitely

Recommendations

The vulnerability can be fixed by adding a line to increment the review counter:

function giveReview(address _student, bool review) public onlyTeacher {
if (!isStudent[_student]) {
revert HH__StudentDoesNotExist();
}
require(reviewCount[_student] < 5, "Student review count exceeded!!!");
require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");
// where `false` is a bad review and true is a good review
if (!review) {
studentScore[_student] -= 10;
}
// Increment the review counter
reviewCount[_student] += 1;
// Update last review time
lastReviewTime[_student] = block.timestamp;
emit ReviewGiven(_student, review, studentScore[_student]);
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

reviewCount not updated

`reviewCount` for students is not updated after each review session

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.