Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

No Grade-Based Graduation Filter

dynamo

Summary

The contract sets a cutOffScore during session initialization but fails to enforce this threshold during graduation, violating a key system invariant. Despite the requirement that "Only students who meet the cutoff score can graduate to the next level," all students are processed identically during graduation regardless of their academic performance.

Vulnerability Details

function startSession(uint256 _cutOffScore) public onlyPrincipal notYetInSession {

sessionEnd = block.timestamp + 4 weeks;

inSession = true;

cutOffScore = _cutOffScore;

emit SchoolInSession(block.timestamp, sessionEnd);

}

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {

if (_levelTwo == address(0)) {

revert HH__ZeroAddress();

}

uint256 totalTeachers = listOfTeachers.length;

uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;

uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;

_authorizeUpgrade(_levelTwo);

for (uint256 n = 0; n < totalTeachers; n++) {

usdc.safeTransfer(listOfTeachers[n], payPerTeacher);

}

usdc.safeTransfer(principal, principalPay);

}

The graduateAndUpgrade function violates a critical system invariant by:

Never checking student scores against the cutOffScore
Failing to filter which students should graduate to the next level
Allowing all students to progress regardless of academic performance

Additionally, the contract doesn't verify that each student has received exactly 4 reviews before graduation, as specified in the student invariants.

Impact

This vulnerability breaks multiple core educational principles of the system:

The invariant "Only students who meet the cutoff score can graduate to the next level" is completely violated
Students with failing grades can progress to more advanced levels
The review system becomes meaningless since scores have no impact on graduation
Teachers' evaluation work is rendered pointless
The principal's authority to set academic standards is undermined

Tools Used

Recommendations

Modify the graduateAndUpgrade function to enforce the student invariants:

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {

if (_levelTwo == address(0)) {

revert HH__ZeroAddress();

}

// Only proceed if session has ended

require(block.timestamp >= sessionEnd, "Session has not ended yet");

// Verify that students have received 4 reviews

uint256 studentLength = listOfStudents.length;

address[] memory passingStudents = new address[](studentLength);

uint256 passingCount = 0;

for (uint256 i = 0; i < studentLength; i++) {

address student = listOfStudents[i];

// Check if student has received exactly 4 reviews

require(reviewCount[student] == 4, "Student has not received required reviews");

// Filter students based on cutoff score

if (studentScore[student] >= cutOffScore) {

passingStudents[passingCount] = student;

passingCount++;

} else {

// Non-passing students remain in LevelOne

// Consider resetting their score for next session

studentScore[student] = 100;

}

// Process graduation for passing students only

// Note: The teacher payment calculation issue shown here (dividing by totalTeachers)

// is addressed in a separate finding about incorrect bursary distribution

uint256 totalTeachers = listOfTeachers.length;

uint256 totalTeacherAllocation = (bursary * TEACHER_WAGE) / PRECISION;

uint256 payPerTeacher = totalTeachers > 0 ? totalTeacherAllocation / totalTeachers : 0;

uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;

_authorizeUpgrade(_levelTwo);

for (uint256 n = 0; n < totalTeachers; n++) {

usdc.safeTransfer(listOfTeachers[n], payPerTeacher);

}

usdc.safeTransfer(principal, principalPay);

emit Graduated(_levelTwo, passingCount);

}

This implementation ensures that:

Only students who meet the cutoff score graduate
Each student has received the required 4 reviews
The session has properly ended before graduation

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

cut-off criteria not applied

All students are graduated when the graduation function is called as the cut-off criteria is not applied.

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.