Students Can Graduate Without Receiving All Weekly Reviews
Summary
The system allows a contract upgrade (via graduateAndUpgrade) even if students have not received all 4 reviews (one for each week of a session). This contradicts expected behavior and can lead to incomplete assessments and unfair bursary allocations.
Vulnerability Details
Each student is expected to receive 4 weekly reviews during the session. However, there is:
No validation in
graduateAndUpgrade()to check whether each student has received 4 reviews.An incomplete implementation of
giveReview(), wherereviewCount[_student]is never incremented, making it impossible to verify the number of reviews each student has received.
This enables the principal to prematurely upgrade the system even if students haven't been fairly assessed.
Proof of Concept
reviewCount[_student]is never incremented ingiveReviewfunction therefore we can't track number of reviews per studentThere is no checks in
graduateAndUpgradeon studentReviews amount
Impact
Invariant mentioned in the DOCS will break
Students must have gotten all reviews before system upgrade. System upgrade should not occur if any student has not gotten 4 reviews (one for each week)
Recommendation
Increment
reviewCount[_student]insidegiveReviewAdd check mechanims on students reviews count in
graduateAndUpgrade
Lead Judging Commences
cut-off criteria not applied
All students are graduated when the graduation function is called as the cut-off criteria is not applied.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.