Summary

The enroll() function in the LevelOne contract is vulnerable to reentrancy attacks due to unsafe interaction with an external token contract safeTransferFrom before updating state variables. An attacker can reenter the function during the token transfer callback, potentially manipulating contract state or enrolling multiple times with a single payment.

Vulnerability Details

The enroll() function does not follow the Checks-Effects-Interactions (CEI) pattern by performing an external call usdc.safeTransferFrom(msg.sender, address(this), schoolFees) before updating state variables ```listOfStudents, isStudent, studentScore etc.).

Attack Scenario:
i. Attacker Deploys Malicious Token:

1. A malicious ERC20 token triggers a reentrant call to enroll() during safeTransferFrom.

ii. Reentrancy Execution:

1. First Call: enroll() → safeTransferFrom → Malicious token callback → enroll() again.

2. Second Call: Processes another enrollment before the first call updates state.

iii. Result:

1. Attacker enrolls twice while only paying once.

2. Bursary accounting is corrupted (under-counts fees).

Impact

1. Attackers can bypass fees or exhaust student slots.

2. If the contract held ETH/ERC20s, reentrancy could drain funds.

3. Bursary and studentScore may become inconsistent.

Tools Used

1. Foundry

2. VS Code

Recommendations

1. Apply the Checks-Effects-Interactions pattern by uisng safeTransferFrom Last

2. Use OpenZeppelin’s ReentrancyGuard