[H-1] Lack of Per-Teacher Review Tracking Allows Multiple Reviews from a Single Teacher at `LevelOne::giveReview()`
Description:
The giveReview(address _student, bool review) function allows teachers to submit reviews for students. However, it only enforces a global cooldown (reviewTime) and a maximum review count (reviewCount[_student]) per student, with no tracking of which teachers have already reviewed a student. This means that the same teacher can repeatedly review the same student, waiting one week between each review, potentially skewing the student's score. This violates the likely intent of allowing diverse and fair feedback from multiple teachers.
Impact:
A malicious or biased teacher can unfairly inflate or deflate a student’s score by repeatedly submitting reviews. Over time, this leads to inaccurate assessments, abuse of the scoring system, and potential manipulation of any features tied to scores (e.g., bursary allocation or graduation eligibility). It undermines the integrity of the review process.
Tools used:
Manual review
Remediation:
Implement a per-teacher tracking mechanism to ensure that a teacher can only review a given student once, or at most once per time period, depending on the intended logic.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.