Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Cutoff Score Validation in Graduation Function

khalidwalid

Issue Description

The graduateAndUpgrade function fails to implement a critical business logic requirement: preventing students who haven't met the minimum score threshold from graduating. While the contract initializes and tracks a cutOffScore in the startSession function, this value is never actually used to validate student eligibility during the graduation process.

Impact

High Severity. The absence of this validation completely bypasses a core academic requirement of the system. All students will be promoted to the next level regardless of their performance, which:

  • Undermines the entire academic assessment system

  • Invalidates the purpose of tracking student scores

  • Defeats the purpose of the teacher review mechanism

  • Contradicts the explicitly stated graduation requirements

Detailed Analysis

In the current implementation:

  1. The cutOffScore is set in startSession:

    function startSession(uint256 _cutOffScore) public onlyPrincipal notYetInSession {
    sessionEnd = block.timestamp + 4 weeks;
    inSession = true;
    cutOffScore = _cutOffScore;
    // ...
    }

  2. Teachers can give reviews that affect student scores via giveReview:

    function giveReview(address _student, bool review) public onlyTeacher {
    // ...
    if (!review) {
    studentScore[_student] -= 10;
    }
    // ...
    }

  3. However, the graduateAndUpgrade function processes graduation for all students without checking their scores:

    function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
    // No validation against cutOffScore
    // ...
    }

This completely negates the stated requirement: "If they fail to meet the cutoff score at the end of a school session, they will be not graduated to the next level when the Principal upgrades the system."

Recommendation

Implement the missing validation in the graduateAndUpgrade function:

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
if (_levelTwo == address(0)) {
revert HH__ZeroAddress();
}
// Ensure all students meet the cutoff score
for (uint256 i = 0; i < listOfStudents.length; i++) {
address student = listOfStudents[i];
require(studentScore[student] >= cutOffScore, "Student does not meet graduation requirements");
}
// Rest of the function...
}

Alternatively, if students who don't meet the criteria should be expelled rather than blocking the upgrade:

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
if (_levelTwo == address(0)) {
revert HH__ZeroAddress();
}
// Expel students who don't meet the cutoff score
for (uint256 i = 0; i < listOfStudents.length; i++) {
if (studentScore[listOfStudents[i]] < cutOffScore) {
expel(listOfStudents[i]);
// Need to adjust the loop counter since expel modifies the array
i--;
}
}
// Rest of the function...
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

cut-off criteria not applied

All students are graduated when the graduation function is called as the cut-off criteria is not applied.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.