Submission Details
Severity:
System upgrade can be done even when no review has been made on the students, this breaks one of the invariants
**Description:** One of the invariants states `Students must have gotten all reviews before system upgrade. System upgrade should not occur if any student has not gotten 4 reviews (one for each week)`. However this check is not made on the `LevelOne::graduateAndUpgrade`
**Impact:** This allows system upgrade to be made on an going session without students receiving reviews for graduation
**Proof of Concept:**
1. Add teachers
2. Enroll students
3. Start session
4. Upgrade system without making any review
<details>
<summary> Proof of Code </summary>
Add the following in the `LevelOneAndGraduateTest.t.sol`
```js
function test_cant_upgrade_without_all_reviews() public schoolInSession {
vm.warp(block.timestamp + 4 weeks);
levelTwoImplementation = new LevelTwo();
levelTwoImplementationAddress = address(levelTwoImplementation);
bytes memory data = abi.encodeCall(LevelTwo.graduate, ());
vm.prank(principal);
levelOneProxy.graduateAndUpgrade(levelTwoImplementationAddress, data);
}
```
</details>
**Tools Used** Manual Review and Foundry
**Recommended Mitigation:** Add a check on the `graduateAndUpgrade` function to ensure that all enrolled students are done a review before upgrading the system
Updates
Lead Judging Commences
yeahchibyke 16 days ago
Submission Judgement Published Assigned finding tags:
cut-off criteria not applied
All students are graduated when the graduation function is called as the cut-off criteria is not applied.
Rewards breakdown
nSLOC
243This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.