Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Principal can claim 40% of the school bursary balance instead of only 5%

0xkujen

Summary

The principal is able to claim 40% of the school bursary total balance instead of just his 5%.

Vulnerability Details

By adding himself as a teacher (which is not being checked in the source code), after graduation the principal is able to both claim the principal's 5% wage and an additional teacher's 35% wage since he became both a teacher and a principal.

Impact

The principal is able to commit fraud by registering himself as a teacher therefore claiming much more money than he deserves which is basically stealing (40% instead of 5%).

Proof Of Concept

You can find below a unit test I have written to confirm my finding, asserting that the principal's wage will be 40% of the total bursary balance after graduation instead of only 5%:

function testPrincipalCanClaimABiggerWageThanHeDeservesByAddingHimselfAsATeacher() public {
//get some fees from students
_studentsEnrolled();
vm.startPrank(principal);
// making sure the principal is the one from our deployment script
assertEq(principal, deployBot.getPrincipal());
// the principal adds himself as a teacher and starts the session
levelOneProxy.addTeacher(principal);
levelOneProxy.startSession(70);
assertEq(levelOneProxy.isTeacher(principal),true);
assertEq(levelOneProxy.getListOfTeachers()[0],principal);
console2.log("Principal initial balance before graduation: %s",usdc.balanceOf(principal));
assertEq(usdc.balanceOf(principal), 0);
levelTwoImplementation = new LevelTwo();
levelTwoImplementationAddress = address(levelTwoImplementation);
bytes memory data = abi.encodeCall(LevelTwo.graduate, ());
levelOneProxy.graduateAndUpgrade(levelTwoImplementationAddress, data);
LevelTwo levelTwoProxy = LevelTwo(proxyAddress);
// assuming schoolFee is 5_000e18, total bursary balance should be 30_000e18
console2.log("Principal final balance after graduation: %s ",usdc.balanceOf(principal));
// the principal expected wage after graduation should be 1_500e18 (5%), however it will be 12_000e18 (40%)
uint256 fraudulentPrincipalWage=(levelTwoProxy.bursary() * 40) / 100;
assertEq(usdc.balanceOf(principal), fraudulentPrincipalWage );
vm.stopPrank();
}

Tools Used

Manual source code review

Recommendations

It is recommended to add a condition that prohibits the principal from adding himself as a teacher in the addTeacher() function:

if (_teacher == address(0)) {
revert HH__ZeroAddress();
}
if (isTeacher[_teacher]) {
revert HH__TeacherExists();
}
if (isStudent[_teacher]) {
revert HH__NotAllowed();
}
if (_teacher == principal){
revert HH_PrincipalCannotAddHimselfAsATeacher();
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

principal can become teacher

Principal can add themselves as teacher and share in teacher pay upon graduation

Appeal created

0xkujen Submitter
about 1 month ago
yeahchibyke Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

principal can become teacher

Principal can add themselves as teacher and share in teacher pay upon graduation

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.