Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

[H-04] Third Method: The Principal Can Use This Method to Obtain Full Fund Allocation

0x996

Vulnerability Details

  1. The removeTeacher function lacks the notYetInSession modifier protection, allowing the principal to remove all teachers during the semester.

  2. As described in H-01 report, the principal can add themselves as a teacher.

  3. Therefore, after the principal calls graduateAndUpgrade, they will receive a 35%+5% fund allocation. As described in H-03 report, by repeatedly calling this function, the principal will ultimately obtain the entire fund allocation from the fund pool.

Impact

By combining several vulnerabilities, this is the third method through which the principal can obtain the entire fund allocation!

POC

Not written.

Recommendations

Add the notYetInSession modifier and fix the vulnerabilities in H-01 and H-03.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

principal can become teacher

Principal can add themselves as teacher and share in teacher pay upon graduation

Appeal created

0x996 Submitter
7 months ago
yeahchibyke Lead Judge
7 months ago
yeahchibyke Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

principal can become teacher

Principal can add themselves as teacher and share in teacher pay upon graduation

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!