Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

[M-03] `giveReview` has functionality issues and unreasonable cases

0x996

Vulnerability Details

  1. Unreasonable Functionality_1: Due to the absence of the notYetInSession modifier, a teacher can review a student even before the school year starts, as long as the student is registered.

  2. Missing Functionality: When review = false, giveReview deducts points from the student, but there is no point addition when review = true. This is a critical missing functionality!

  3. Unreasonable Functionality_2: giveReview checks reviewCount < 5, but fails to increment this value, causing the condition to always be true. Therefore, a teacher can review a student an unlimited number of times, eventually reducing their score to 0!

Impact

Due to the missing and unreasonable functionalities in giveReview, students will be treated unfairly, as detailed above.

POC

Not written.

Recommendations

  1. Add the notYetInSession modifier.

  2. Add reviewCount[_student] += 1.

  3. Add a point addition operation when review = true: studentScore[_student] += 10;.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

session state not updated

`inSession` not updated after during upgrade

Appeal created

0x996 Submitter
7 months ago
yeahchibyke Lead Judge
7 months ago
yeahchibyke Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

session state not updated

`inSession` not updated after during upgrade

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!