Submission Details
Severity:
Unbounded Loop in graduateAndUpgrade() function leads to potential DoS (Denial of Service)
Summary - The graduateAndUpgrade() function in the LevelOne contract contains an unbounded loop over listOfTeachers. In scenarios where the number of teachers is large, this loop may consume excessive gas, causing the transaction to fail. This effectively locks the upgrade and graduation process, resulting in a Denial of Service (DoS) vulnerability.
Vulnerability Details - In the following code from the graduateAndUpgrade() function:
uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;
uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;
_authorizeUpgrade(_levelTwo);
for (uint256 n = 0; n < totalTeachers; n++) {
usdc.safeTransfer(listOfTeachers[n], payPerTeacher);
}
usdc.safeTransfer(principal, principalPay);```
The for loop iterates through listOfTeachers to transfer tokens to each teacher.
If the number of teachers grows large enough, the transaction will exceed the block gas limit.
This will cause every call to graduateAndUpgrade() to fail, permanently preventing the school from graduating students or upgrading the contract — creating a DoS scenario.
## Impact - Denial of Service: The graduateAndUpgrade() function will fail to execute once listOfTeachers grows too large. This blocks:
Teacher payouts
Principal payout
Contract upgrade process
Governance Paralysis: Upgrading to levelTwo is a critical function for the lifecycle of the system. DoS in this function prevents any protocol progression.
User Trust Damage: Teachers and principals expecting payment would be indefinitely stuck without recourse if this function fails.
## Tools Used - Manual code review
## Recommendations - Use Pull Payments Pattern: Instead of looping and pushing payments inside the graduateAndUpgrade() function, accumulate balances and allow teachers and the principal to withdraw their payouts themselves like each teacher calls withdraw() separately to claim their pay.
Limit Number of Teachers: Enforce an upper cap on the maximum number of teachers allowed.
Batch Payouts: If full migration to pull payments isn't desired, implement batch processing using pagination (e.g., process 10 teachers per transaction).
Warn During Enrollment: Notify or revert when teacher count approaches a critical threshold where the graduateAndUpgrade() function risks gas exhaustion.
Updates
Lead Judging Commences
yeahchibyke 3 months ago
Submission Judgement Published Assigned finding tags:
inefficient teacher payment system
Due to the use of a push system as regards payment of teacher wages, there is a risk of possible DoS as gas costs increase in direct proportion to size of teachers list.
Appeal created
khandelwalmoksh787
3 months ago
yeahchibyke
3 months ago
yeahchibyke 3 months ago
Submission Judgement Published Assigned finding tags:
inefficient teacher payment system
Due to the use of a push system as regards payment of teacher wages, there is a risk of possible DoS as gas costs increase in direct proportion to size of teachers list.
Rewards breakdown
nSLOC
243This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.