`cutOffScore` Is Assigned But Never Used — Invariant Becomes Ineffective
Summary
Although the contract sets a cutOffScore value at the beginning of each session to define the minimum score required for a student to graduate, this value is never referenced or enforced anywhere in the protocol. This oversight violates the documented invariant stating that students must meet the cut-off score to upgrade, rendering grading logic and student assessment meaningless.
Vulnerability Details
According to the contract's documented invariants:
“Any student who doesn't meet the
cutOffScoreshould not be upgraded”
The cutOffScore is set when a session begins:
However, this variable is never used in any logic path. This renders cutOffScore inert — it becomes a meaningless assignment and breaks the intended control based on the student's performance.
Impact
Grading mechanism is non-functional — students can graduate regardless of academic performance.
System allows undeserving students to be upgraded, undermining protocol fairness.
Invariant is violated, making the protocol non-compliant with its own design guarantees.
Misleading interface — users and integrators may assume that
cutOffScoreis enforced when it isn’t.
Tools Used
Manual Code Review
Slither
Recommendations
Integrate
cutOffScoreenforcement directly in the graduation logic, e.g.:
Lead Judging Commences
cut-off criteria not applied
All students are graduated when the graduation function is called as the cut-off criteria is not applied.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.