Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Review Completion Validation in System Upgrade

khalidwalid

Issue Description

The graduateAndUpgrade function fails to verify that all students have received the required 4 reviews (one per week) before performing the system upgrade, directly violating a critical system invariant: "Students must have gotten all reviews before system upgrade. System upgrade should not occur if any student has not gotten 4 reviews (one for each week)."

Impact - High

Without this validation, the system allows premature graduation and upgrades without completing the full academic evaluation process. This fundamentally undermines the educational integrity of the platform, as students can progress without receiving the complete assessment they are entitled to receive.

Likelihood - High

This issue will occur in any standard graduation cycle where at least one student has not received all four required reviews. Given the manual nature of reviews and the potential for teacher oversight, this is highly likely to occur in practice.

Detailed Analysis

The graduateAndUpgrade function currently lacks any mechanism to check the number of reviews each student has received:

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
if (_levelTwo == address(0)) {
revert HH__ZeroAddress();
}
uint256 totalTeachers = listOfTeachers.length;
uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;
uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;
_authorizeUpgrade(_levelTwo);
for (uint256 n = 0; n < totalTeachers; n++) {
usdc.safeTransfer(listOfTeachers[n], payPerTeacher);
}
usdc.safeTransfer(principal, principalPay);
}

While the contract tracks review counts in the reviewCount mapping and restricts review frequency with the lastReviewTime mapping, it never verifies that students have received all required reviews before upgrading.

This creates several serious issues:

  1. Students can graduate without receiving proper evaluation

  2. The educational process is incomplete

  3. The stated invariant is violated

  4. Teachers might be paid despite not fulfilling their review obligations

The contract does have a giveReview function that updates the reviewCount for each student, but surprisingly, there's a limitation that students can receive a maximum of 5 reviews:

require(reviewCount[_student] < 5, "Student review count exceeded!!!");

However, this limitation is never balanced with a minimum requirement check during graduation.

Recommendation

Implement a validation in the graduateAndUpgrade function to ensure all students have received exactly 4 reviews:

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
if (_levelTwo == address(0)) {
revert HH__ZeroAddress();
}
// Verify all students have received 4 reviews
for (uint256 i = 0; i < listOfStudents.length; i++) {
address student = listOfStudents[i];
require(reviewCount[student] == 4, "All students must receive exactly 4 reviews before upgrade");
}
// Rest of the function remains unchanged
uint256 totalTeachers = listOfTeachers.length;
// ...
}

This ensures compliance with the stated invariant and maintains the educational integrity of the platform.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

cut-off criteria not applied

All students are graduated when the graduation function is called as the cut-off criteria is not applied.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!