Hawk High

Issue Summary

The LevelOne contract exhibits an inconsistent security pattern between similar administrative functions. While the expel() function explicitly requires the school to be in session, the removeTeacher() function lacks this contextual validation check. This inconsistency introduces a vulnerability where teachers can be removed during active sessions, potentially disrupting the educational process.

Impact - Medium

The unrestricted ability to remove teachers during active sessions can have several negative consequences:

1. Disruption of the review process, as fewer teachers would be available to provide required student reviews

2. Potential inability to meet the invariant that "students must have gotten all reviews before system upgrade"

3. Academic process integrity compromised if teachers are removed before completing their duties

Likelihood - Medium

This issue depends on principal actions but presents a moderate risk due to:

1. No technical barrier preventing teacher removal during active sessions

2. No warning or indication to the principal that removing teachers mid-session may be problematic

3. The natural administrative workflow might reasonably include teacher adjustments at any time

Technical Details

The contract implements two similar administrative functions with inconsistent security models:

The inconsistency reveals a logical flaw in the contract's design:

• expel() can only be called when inSession == true

• removeTeacher() can be called regardless of session state

• Both functions affect the core participants in the educational process

This discrepancy suggests either:

1. An oversight in implementing consistent session state validation

2. A deliberate but undocumented design decision that lacks clear rationale

Given the educational context of the contract and the requirement for teachers to provide reviews, allowing teacher removal during active sessions contradicts the operational needs of the system.

Proof of Concept

Consider this sequence of events:

1. School session starts with 3 teachers and 30 students

2. Each teacher is responsible for reviewing 10 students over 4 weeks

3. After week 2, the principal calls removeTeacher() on one teacher

4. The remaining 2 teachers now must review additional students

5. If the remaining teachers cannot handle the increased workload, some students may not receive all 4 required reviews

6. System upgrade becomes impossible due to unmet review requirements

Remediation

The security model should be consistent between administrative functions. Two potential fixes:

Option 1: Match the expel() function's model (preferred):

Option 2: Match the addTeacher() function's model:

Either approach would establish a consistent security model across administrative functions, preventing potential disruption to the educational process by ensuring teacher management occurs at appropriate times.