Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Dual Role Exploitation : Principal Can Be Added as Teacher

khalidwalid

Description

The addTeacher() function in the LevelOne contract lacks a check to prevent the principal from being added as a teacher. This oversight enables a single individual to hold both principal and teacher roles simultaneously, creating a conflict of interest and potentially allowing them to receive compensation for both roles during fund distribution.

Vulnerable Code

function addTeacher(address _teacher) public onlyPrincipal notYetInSession {

if (_teacher == address(0)) {

revert HH__ZeroAddress();

}

if (isTeacher[_teacher]) {

revert HH__TeacherExists();

}

if (isStudent[_teacher]) {

revert HH__NotAllowed();

}

listOfTeachers.push(_teacher);

isTeacher[_teacher] = true;

emit TeacherAdded(_teacher);

}

Impact

Double Compensation: During the graduateAndUpgrade() function execution, the principal would receive both their designated 5% wage AND an additional teacher's wage, which is an unfair distribution of funds.
Fund Depletion: The contract calculates payments as:

uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;
uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;

If the principal is both principal and teacher, they would receive:
- Principal pay: (bursary * 5) / 100
- Teacher pay: (bursary * 35) / 100 (divided by number of teachers)
This could lead to faster depletion of the bursary fund than intended by the contract design.
Manipulation of Educational System: As both principal and teacher, an individual could have unfair influence over student reviews, as teachers can give reviews that affect student scores.

Proof of Concept

Principal deploys the contract and initializes it with themselves as principal
Principal calls addTeacher(principalAddress) to add themselves as a teacher
When school session ends and graduateAndUpgrade() is called, the principal receives double payment

Recommendation

Add an explicit check in the addTeacher() function to prevent the principal from being added as a teacher:

function addTeacher(address _teacher) public onlyPrincipal notYetInSession {

if (_teacher == address(0)) {

revert HH__ZeroAddress();

}

if (_teacher == principal) {

revert HH__NotAllowed(); // Or create a specific error like HH__PrincipalCannotBeTeacher

}

if (isTeacher[_teacher]) {

revert HH__TeacherExists();

}

if (isStudent[_teacher]) {

revert HH__NotAllowed();

}

listOfTeachers.push(_teacher);

isTeacher[_teacher] = true;

emit TeacherAdded(_teacher);

}

This simple check ensures proper separation of roles and prevents potential exploitation of the compensation mechanism.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago

Submission Judgement Published

Validated

Assigned finding tags:

principal can become teacher

Principal can add themselves as teacher and share in teacher pay upon graduation

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.