Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Academic Graduation Criteria Bypass Vulnerability

umarbinkhattab

Issue Summary

The LevelOne contract fails to enforce its documented graduation policy. While the system design includes a cutOffScore parameter and student scoring mechanism, the graduateAndUpgrade function does not verify that students have met the minimum score requirement before facilitating their progression to the next academic level.

Technical Details

The contract establishes multiple mechanisms to track student performance:

  1. A cutOffScore state variable is defined and set by the principal

  2. Each student has an associated studentScore that starts at 100

  3. Teachers can decrease scores through negative reviews

  4. The documentation explicitly states: "If they fail to meet the cutoff score at the end of a school session, they will not be graduated to the next level"

However, the critical disconnect occurs in the system upgrade logic. The graduateAndUpgrade function, which handles the transition to the next level:

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
if (_levelTwo == address(0)) {
revert HH__ZeroAddress();
}
uint256 totalTeachers = listOfTeachers.length;
uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;
uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;
_authorizeUpgrade(_levelTwo);
// Distributes funds but never checks student scores
for (uint256 n = 0; n < totalTeachers; n++) {
usdc.safeTransfer(listOfTeachers[n], payPerTeacher);
}
usdc.safeTransfer(principal, principalPay);
}

The function focuses solely on financial distribution and system upgrade authorization, completely omitting the academic qualification check that should prevent underperforming students from graduating.

Potential Consequences

  1. Academic Integrity Compromise: The entire academic evaluation system loses its meaning if performance has no bearing on advancement.

  2. Trust Violation: Students and teachers participate in a system that claims to have standards but fails to enforce them.

  3. Economic Waste: Teachers are paid for evaluating students even though these evaluations have no practical impact on graduation outcomes.

  4. Reputation Risk: Once stakeholders recognize this disconnect, trust in the institution could collapse.

Remediation

To align implementation with requirements, the graduateAndUpgrade function should be modified to:

  1. Create a filtered list of qualifying students based on the cutOffScore requirement

  2. Either prevent upgrade if any students don't qualify, or exclude non-qualifying students from the upgrade process

  3. Consider implementing a specific event to track which students qualified for graduation

Example solution:

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
if (_levelTwo == address(0)) {
revert HH__ZeroAddress();
}
// First, verify the academic standing of all students
address[] memory qualifyingStudents = new address[](listOfStudents.length);
uint256 qualifyingCount = 0;
for (uint256 i = 0; i < listOfStudents.length; i++) {
address student = listOfStudents[i];
if (studentScore[student] >= cutOffScore) {
qualifyingStudents[qualifyingCount] = student;
qualifyingCount++;
} else {
// Optionally emit an event for students who failed to qualify
emit FailedGraduation(student, studentScore[student], cutOffScore);
}
}
// Require at least one qualifying student to proceed
require(qualifyingCount > 0, "No students qualify for graduation");
// Process graduation only for qualifying students
// [Implementation details for handling qualifying students...]
// Continue with existing logic for payment and upgrade
uint256 totalTeachers = listOfTeachers.length;
uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;
uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;
_authorizeUpgrade(_levelTwo);
// Distribution logic
// ...
}

This implementation would ensure that only academically qualified students graduate, maintaining the integrity of the stated graduation requirements.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

cut-off criteria not applied

All students are graduated when the graduation function is called as the cut-off criteria is not applied.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.