Missing Bursary Reset Allows Repeated Fund Distribution in graduateAndUpgrade
Summary
In the graduateAndUpgrade function, the bursary pool is distributed to teachers and the principal based on predefined percentages. However, the bursary variable is never reset to zero after this distribution. This omission allows the function to be called multiple times, redistributing the same funds repeatedly, resulting in double payments and a critical financial vulnerability.
Vulnerability Details
Problematic Code:
Example Exploit:
Bursary has 1000 USDC.
Principal calls
graduateAndUpgrade, distributing funds.Since
bursaryis not reset, calling the function again will distribute another 1000 USDC.This continues until the contract’s balance is drained.
Impact
Severe Financial Loss: Contract funds can be emptied unfairly.
Abuse of Authority: The principal could maliciously or mistakenly exploit this to repeatedly extract funds.
Broken Upgrade Semantics: Misuse of
graduateAndUpgradenot only upgrades but continues payout cycles.
Tools Used
Manual review
Solidity state variable behavior
Contract flow analysis
Recommendations
Reset the bursary pool to zero after funds have been distributed:
Fixed Code:
Additional Safeguards:
Add a
graduatedflag to prevent re-entry or multiple calls.Add event logging for auditing
bursaryvalues before and after distribution.Include test coverage for double-call scenarios in test suites.
Lead Judging Commences
bursary not updated
The bursary is not updated after wages have been paid in `graduateAndUpgrade()` function
bursary not updated
The bursary is not updated after wages have been paid in `graduateAndUpgrade()` function
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.