Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: high
Invalid

Teacher payment invariant broken in LevelTwo

mishoko

Summary

There's a critical invariant break in the teacher wage constant between LevelOne and LevelTwo. The teacher wage increases from 35% to 40% without proper validation or migration logic.

Vulnerability Details

The wage constants differ between contracts:

// LevelOne
uint256 public constant TEACHER_WAGE = 35; // 35%
// LevelTwo
uint256 public constant TEACHER_WAGE_L2 = 40; // 40%

This creates several issues:

  1. Unauthorized wage increase (5% more)

  2. Potential financial impact on bursary distribution

Impact

  • Financial Impact: Teachers receive 5% more of the bursary than intended

  • Fund Mismanagement: Bursary distribution becomes unbalanced

  • Trust Issues: Unauthorized change in financial terms

  • Contract Integrity: Core business logic is altered without proper controls

Tools Used

  • Manual code review

Recommendations

  1. Maintain consistent wage constants between versions

  2. Add validation in upgrade process for constant changes

  3. Implement proper migration logic if wage changes are needed

  4. Add checks to ensure financial invariants are maintained

  5. Consider adding a timelock for such critical changes

Updates

Lead Judging Commences

yeahchibyke Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!