Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

[L-01] Post-Graduation Review Vulnerability Allows Teachers to Manipulate Graduated Student Scores

0xshaedyw

Summary

The review system fails to prevent teachers from modifying student scores even after graduation and system upgrade, creating potential for malicious score manipulation that could retroactively invalidate already-approved graduations.

Vulnerability Details

Location

File: levelOne.sol
Function: giveReview(address _student, bool review)

Critical Issues

Missing Session Status Check:
- Reviews can be given indefinitely after session ends
- No protection against post-graduation modifications
Temporal Validation Failure:
- Only checks time since last review, not absolute session bounds
- Allows infinite review cycles beyond intended 4-week session
Graduation Integrity Risk:
- Final scores aren't truly final

Proof of Concept

Test Case:

function test_post_graduation_review_manipulation() public {

// Setup system and graduate student

levelTwoImplementation = new LevelTwo();

address levelTwo = address(levelTwoImplementation);

vm.prank(principal);

levelOneProxy.addTeacher(alice);

address student = makeAddr("student");

deal(address(usdc), student, 10_000e18);

vm.prank(student);

usdc.approve(address(levelOneProxy), schoolFees);

vm.prank(student);

levelOneProxy.enroll();

// Complete graduation process

vm.startPrank(principal);

levelOneProxy.startSession(70);

levelOneProxy.graduateAndUpgrade(levelTwo, "");

vm.stopPrank();

// Malicious post-graduation review

vm.warp(block.timestamp + 6 weeks); // Far beyond session

vm.prank(alice);

levelOneProxy.giveReview(student, false); // Unfair penalty

// Verify score changed post-graduation

assertEq(levelOneProxy.studentScore(student), 90);

}

Test Result:

Ran 1 test for test/LevelOneAndGraduateTest.t.sol:LevelOneAndGraduateTest

[PASS] test_post_graduation_review_manipulation() (gas: 1107515)

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 30.97ms (7.34ms CPU time)

Impact

Compromises finality of academic records
Enables retroactive invalidation of graduations
Undermines trust in credentialing system

Tools Used

Foundry (forge test)

Recommendations

1) Enforce Session Bounds or 2) Implement graduation lock

function giveReview(address _student, bool review) public onlyTeacher {

require(inSession, "Reviews only during active session");

// ... existing checks ...

}

mapping(address => bool) public isGraduated;

function giveReview(address _student, bool review) public onlyTeacher {

require(!isGraduated[_student], "Student already graduated");

// ... existing checks ...

}

Updates

Lead Judging Commences

yeahchibyke Lead Judge

4 months ago

yeahchibyke Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

session state not updated

`inSession` not updated after during upgrade

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.