Submission Details
Severity:
In `LevelOne:giveReview` function there is no check if sessionEnded, enabling teachers to `giveReview` after session end
Description: In LevelOne:giveReview function there is no checking mechanism to prevent review after sessionEnd, allowing teacher to give review to students after sessionEnd.
Vulnerability Details: In LevelOne:giveReview There is no check if Session ended or not
function giveReview(address _student, bool review) public onlyTeacher {
@>
if (!isStudent[_student]) {
revert HH__StudentDoesNotExist();
}
require(reviewCount[_student] < 5, "Student review count exceeded!!!");
require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");
// where `false` is a bad review and true is a good review
if (!review) {
studentScore[_student] -= 10;
}
// Update last review time
lastReviewTime[_student] = block.timestamp;
emit ReviewGiven(_student, review, studentScore[_student]);
}
Impact: teacher are allowed to review students after sessionEnd
Tools Used: Manual Review
Proof of Concept: Add this test suit to your LeveOnelAndGraduateTest.t.sol code
Proof of Code
function test_confirm_can_give_review_After_Session_End() public schoolInSession {
vm.warp(block.timestamp + 5 weeks);
vm.roll(block.number + 1);
vm.prank(alice);
levelOneProxy.giveReview(harriet, false);
assert(levelOneProxy.studentScore(harriet) == 90);
assert(levelOneProxy.getSessionStatus() == true);
assert(block.timestamp > levelOneProxy.getSessionEnd());
}
Recommendations: Add the following line in your code
function giveReview(address _student, bool review) public onlyTeacher {
+ if(block.timestamp > sessionEnd) {
+ revert HH__SessionEnded();
+ }
if (!isStudent[_student]) {
revert HH__StudentDoesNotExist();
}
require(reviewCount[_student] < 5, "Student review count exceeded!!!");
require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");
// where `false` is a bad review and true is a good review
if (!review) {
studentScore[_student] -= 10;
}
// Update last review time
lastReviewTime[_student] = block.timestamp;
emit ReviewGiven(_student, review, studentScore[_student]);
}
and Add the custom error in the contract
+ error HH__SessionEnded();
Updates
Lead Judging Commences
yeahchibyke about 1 month ago
Submission Judgement Published Assigned finding tags:
session state not updated
`inSession` not updated after during upgrade
Rewards breakdown
nSLOC
243This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.