Submission Details
Severity:
There is no check for `LevelOne::cutOffScore` on students who are qualified to graduate, this breaks one of the invariants
**Description:** One of the invariants states `Any student who doesn't meet the `cutOffScore` should not be upgraded`. However this check is not made on the `LevelOne::graduateAndUpgrade`
**Impact:** This allows any student to graduate even without passing the cutoffscore
**Proof of Concept:**
1. Add teachers
2. Enroll students
3. Start session
4. Upgrade and graduate without checking students cutoffscore
<details>
<summary> Proof of Code </summary>
Add the following in the `LevelOneAndGraduateTest.t.sol`
```js
function test_cant_upgrade_without_all_reviews() public schoolInSession {
vm.warp(block.timestamp + 4 weeks);
levelTwoImplementation = new LevelTwo();
levelTwoImplementationAddress = address(levelTwoImplementation);
bytes memory data = abi.encodeCall(LevelTwo.graduate, ());
vm.prank(principal);
levelOneProxy.graduateAndUpgrade(levelTwoImplementationAddress, data);
}
```
</details>
**Tools Used** Manual Review and Foundry
**Recommended Mitigation:** Use `cutOffScore` to add a check on the `graduateAndUpgrade` function to ensure that only students who pass the cutOffScore graduate
Updates
Lead Judging Commences
yeahchibyke about 1 month ago
Submission Judgement Published Assigned finding tags:
cut-off criteria not applied
All students are graduated when the graduation function is called as the cut-off criteria is not applied.
Rewards breakdown
nSLOC
243This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.