Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Upgrade logic problem

jufel

Description: Although LevelOne::startSession sets 'cutOffScore', LevelOne::graduateAndUpgrade never checks whether a student's score meets it. Every student end up treated the same and the '_levelTwo' address is never used to actually bridge or upgrade students.

Impact: Poor-performing students pass automatically and upgrade logic is effectively dead code. Bursary distribution can occur even if no one qualifies, and the 'Graduated' events 'levelTwo' address is never used.

Proof of Concept: Include the following test in the LevelOneAndGraduateTest.t.sol file:

function testGraduateAnyScore() public {
_teachersAdded();
_studentsEnrolled();
vm.prank(principal);
levelOneProxy.startSession(200); // impossible score
// even though studentScore < cutOffScore, graduation still proceeds
levelTwoImplementation = new LevelTwo();
levelTwoImplementationAddress = address(levelTwoImplementation);
bytes memory data = abi.encodeCall(LevelTwo.graduate, ());
vm.prank(principal);
levelOneProxy.graduateAndUpgrade(levelTwoImplementationAddress, data);
// No revert, bursary is distributed
}

Recommended Mitigation:

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
+ for (uint i = 0; i < listOfStudents.length; i++) {
+ address student = listOfStudents[i];
+ if (studentScore[student] >= cutOffScore) {
+ // optionally expel / refund / emit failure event
+ } else { LevelTwo(_levelTwo).upgradeToAndCall(student, data); }
+ }
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

cut-off criteria not applied

All students are graduated when the graduation function is called as the cut-off criteria is not applied.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.