Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Underflow in studentScore (Root Cause: subtraction without saturating to 0

proofofexploit

Each negative review executes studentScore[_student] -= 10;.
If the current score is < 10, the subtraction causes an arithmetic underflow and the EVM reverts with panic(0x11).
The contract lacks a prior check (>= 10) or use of the unchecked keyword, so the first subtraction that drives the score below zero permanently freezes the review function for that student.

Impact:

  • Functional DoS: no teacher can ever review the affected student again.

  • Loss of academic integrity: the student is perpetually unable to improve their score.

  • Potential systemic lock-up if other functions depend on future reviews.


Proof of Concept:

function test_scoreUnderflowBlocksFutureReviews() public {
_teachersAdded();
_studentsEnrolled();
// arranca la sesión
vm.prank(principal);
levelOneProxy.startSession(70);
vm.warp(block.timestamp + 1 weeks);
vm.startPrank(alice); // profesor
// 10 reseñas negativas, una por semana → score pasa de 100 a 0
for (uint256 i; i < 10; ++i) {
levelOneProxy.giveReview(dan, false);
vm.warp(block.timestamp + 1 weeks);
}
// semana 11: otra reseña negativa intenta restar 10 a 0 → underflow
vm.expectRevert(); // cualquier revert
levelOneProxy.giveReview(dan, false);
vm.stopPrank();
}

Recommended Mitigation:

function _applyNegativeReview(address student) internal {
if (studentScore[student] >= 10) {
studentScore[student] -= 10;
} else {
studentScore[student] = 0; // o revertir con error explícito
}
}

Alternatively, use SafeCast/SafeMath or unchecked with pre-protection logic, ensuring the score never goes below 0.

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.