Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

`Principal` can remove teachers after the session started

nuuopdaem

Description and Impact

Principal can add teachers only before the session starts but can remove teachers even after the session started .

This can be leveraged by the Principal because it gives him more control than necessary in terms of the distribution of the school's bugdet between the teachers .

This can be leveraged to achieve 2 different outcomes ..

  1. Principal can come up with excuses to remove a teacher ( or more ) just before executing LevelOne :: graduateAndUpgrade so the Principal can punish a teacher that does not have a good relation with the him or to just help certain teachers make more money than they deserve .

  2. If the Principal add himself as a teacher too ( using another issue existent within LevelOne ), he can come up with excuses to remove a teacher ( or more ) just before executing LevelOne :: graduateAndUpgrade so the Principal can be eligible to a % too from the dedicated 35% for the teachers .

Recommended mitigation

Add the notYetInSession modifier to LevelOne :: removeTeacher .

Or if it is intended for teachers to be removed anytime, implement a system to verify if a teacher misbehave or not during the session so in that case the Principal to can remove only malicious teachers .

PoC

There is not a PoC . The issue can be understood easily .

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.