Hawk High

Summary

According to the documentation, graduation is subject to specific conditions. However, these conditions are not enforced in the graduateAndUpgrade function. As a result, the principal can prematurely graduate all students, bypassing the intended requirements.

Vulnerability Details

The following graduation conditions are documented but not implemented in the smart contract:

• Review Completion: Students must receive one review per week (4 in total) before graduation. The system should prevent graduation if any student lacks the required reviews.

• Minimum Performance Threshold: Students who do not meet the required cutOffScore should not be upgraded.

• Session Timing: The graduateAndUpgrade function should only be callable after the sessionEnd timestamp has been reached.

These checks are absent from the graduateAndUpgrade logic, allowing unauthorized or premature graduation of students.

Impact

The lack of validation undermines the integrity of the graduation process. The principal can graduate all students regardless of their performance or session timing, which contradicts the system's documented rules.

Tools Used

Manual code review.

Recommendations

Enforce the following checks within the graduateAndUpgrade function:

1. Ensure all students have received the required number of reviews.

2. Verify that each student meets or exceeds the cutOffScore.

3. Confirm that the current block timestamp is after or equal to sessionEnd.

These validations will ensure the function behaves according to the documented requirements and prevents misuse.