A teacher can give a student a review even if the school session has not been started yet
Summary
This vulnerability allows the teacher to give a student a review, even if the school session has not been started yet, which breaks the rules and implementation of the protocl, where the reviews are only given during the study period - and it suppose to be - based on the students behavior and performance.
Vulnerability Details
1- Navigate to test/LeveOnelAndGraduateTest.t.sol file.
2- add the following PoC code to the test file:
3- in the command line, run the following command: forge test --match-test testTeacherCanReviewEvenSchoolSessionHasNotBeenStarted -vvv
4- The output will be as following --> Clara's Final score is: 90
5- Note that In the test I didn't use :
Which indicates that the session is not being started.
Impact
the teacher to be able to review the student when the school session is not being started yet is a clear break for the protocol rules and implementations where the reviews are only should be given to students by teachers through only the session time - 4 weeks -, otherwise the teacher shouldn't be able to review the students.
If the teacher reviews the students when no session is being held, what will the review be based on?
Tools Used
Manual Recon
foundry
test suite
Recommendations
Add :
in the beginning of LevelOne:giveReview function.
Lead Judging Commences
session state not updated
`inSession` not updated after during upgrade
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.