Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: medium
Invalid

Missing condition for rule-breaking in expel() __LevelOne.sol

hawks

Summary

The expel function allows the principal to expel students but does not enforce any rule-based criteria, enabling arbitrary removals.

Vulnerability Details

The function lacks validation logic to determine whether a student has actually broken any rules. As written, the principal can expel any student at any time during a session, regardless of their behavior, score, or review history.

This breaks the fairness of the system and opens the door to abuse, undermining trust in the contract.

function expel(address _student) public onlyPrincipal {
if (inSession == false) {
revert();
}
if (_student == address(0)) {
revert HH__ZeroAddress();
}
if (!isStudent[_student]) {
revert HH__StudentDoesNotExist();
}
uint256 studentLength = listOfStudents.length;
for (uint256 n = 0; n < studentLength; n++) {
if (listOfStudents[n] == _student) {
listOfStudents[n] = listOfStudents[studentLength - 1];
listOfStudents.pop();
break;
}
}
isStudent[_student] = false;
emit Expelled(_student);
}

Impact

Arbitrary expulsion: Principal can remove students without cause

Breaks incentive alignment: Students who follow rules may still be expelled

Loss of trust: Stakeholders cannot rely on deterministic, rule-based governance

Tools Used

Manual review

Recommendations

Introduce rule-based criteria for expulsion.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.