Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: low

Invalid

[L-4] No Emergency Circuit Breaker/Pause Mechanism

nymuelis

Severity

Low

Impact

The contract lacks any emergency pause or circuit breaker mechanism, making it impossible to stop operations if a security vulnerability or critical bug is discovered. This forces the system to continue operating even under adverse conditions, potentially putting funds at risk.

Description

Circuit breakers or emergency pause functions are security best practices for DeFi protocols and financial systems. They provide a way to temporarily halt operations when unexpected behaviors or security issues arise, limiting potential damage.

The Hawk High School contract provides no mechanism to pause operations, leaving the principal with only two options in case of an emergency:

Let the vulnerable system continue operating, risking user funds
Attempt an emergency upgrade, which might not be possible or safe depending on the situation

The contract has funds controlled by business logic, making it a prime candidate for including safety measures like circuit breakers.

Tools Used

Manual code review

Recommended Mitigation

Implement a pause mechanism using OpenZeppelin's Pausable contract:

// LevelOne.sol

+ import {Pausable} from "@openzeppelin/contracts-upgradeable/security/PausableUpgradeable.sol";

- contract LevelOne is Initializable, UUPSUpgradeable {

+ contract LevelOne is Initializable, UUPSUpgradeable, PausableUpgradeable {

// ... existing code ...

function initialize(address _principal, uint256 _schoolFees, address _usdcAddress) public initializer {

// ... existing code ...

+ __Pausable_init();

__UUPSUpgradeable_init();

}

+ // Add emergency functions

+ function emergencyPause() external onlyPrincipal {

+ _pause();

+ }

+ function emergencyUnpause() external onlyPrincipal {

+ _unpause();

+ }

// Add whenNotPaused to critical functions

function enroll() external notYetInSession + whenNotPaused {

// ... existing code ...

}

function giveReview(address _student, bool review) public onlyTeacher + whenNotPaused {

// ... existing code ...

}

// Do NOT add whenNotPaused to withdrawal functions

// Allow users to withdraw funds even when paused

}

This ensures that if a vulnerability is discovered, the principal can immediately pause the contract to prevent exploitation, while still allowing critical operations like fund withdrawals to proceed.

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.