[H-7] Unbounded Loop Denial of Service in `LevelOne::graduateAndUpgrade()`
Description
The graduateAndUpgrade() function in LevelOne.sol iterates over the listOfTeachers array to transfer payPerTeacher USDC tokens to each teacher:
This loop is unbounded, meaning it runs a number of iterations equal to the length of listOfTeachers, which can grow arbitrarily large. Since each iteration performs a token transfer (a non-trivial operation in terms of gas cost), this can cause the transaction to exceed the block gas limit when listOfTeachers becomes too large.
This leads to a denial of service, as the function will become uncallable once the gas required to process all teacher payments exceeds the block gas limit.
Impact
An attacker or even normal usage over time could cause listOfTeachers to grow large enough to render graduateAndUpgrade() uncallable. This effectively bricks the function, preventing:
Graduation/upgrades from occurring
Salary disbursements to teachers and the principal
Authorized upgrades to the
_levelTwocontract
This would halt the upgradeability process of the system and disrupt fund distribution, which can have critical consequences in a production environment.
Tools Used
Manual review
Chatgpt
Recommendations
Use a pull payment model where teachers claim their wages themselves instead of being paid in a loop.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.