Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: medium

Invalid

Blacklisted actors like teachers at `LevelOne::graduateAndUpgrade` can block wages payment and upgrade

s3bc40

Summary

USDC token have a blacklist feature that allows the owner to block certain addresses from transferring tokens. If a teacher or the principal are blacklisted, they will not be able to receive their wages during the graduateAndUpgrade function. This can lead to a situation where teachers are not paid for their work and can also block the upgrade process.

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {

if (_levelTwo == address(0)) {

revert HH__ZeroAddress();

}

uint256 totalTeachers = listOfTeachers.length;

uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;

uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;

_authorizeUpgrade(_levelTwo);

for (uint256 n = 0; n < totalTeachers; n++) {

@> usdc.safeTransfer(listOfTeachers[n], payPerTeacher);

}

@> usdc.safeTransfer(principal, principalPay);

}

Impact

The graduateAndUpgrade function does not check if the teachers or principal are blacklisted. Wages payment can be blocked and the upgrade process can be halted. The protocol will not be able to function properly and the funds will be stuck in the contract.

Proof of Concept

One of the teachers is blacklisted.
The principal calls the graduateAndUpgrade function.
The function will revert inside the loop at usdc.safeTransfer(listOfTeachers[n], payPerTeacher); because one of the teachers is blacklisted and cannot receive USDC tokens.
Every actors will be blocked from receiving their wages and the upgrade process will be halted.

Tools Used

Manual review and solodit checklist.

Recommendations

Create try-catch blocks around the usdc.safeTransfer function to handle the case where a teacher or principal is blacklisted. Consider creating an escape hatch to allow the principal (or proxy) to withdraw the funds in case of a blacklisted actor.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!