Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Missing 'reviewCount' Increment & Underflow

jufel

Description: In LevelOne::giveReview, 'reviewCount[_student]' is checked but never incremented. Teachers can issue unlimited "bad" reviews. Every time '!review', 'studentScore' drops by 10, and can underflow below zero-causing a revert in Solidity 0.8+ and permanent lock.

Impact: A teacher can repeatedly call giveReview(student, false) (respecting the 1-week interval) until 'studentScore' underflows, blocking further reviews or graduation and locking that student in the system.

Proof of Concept: Include the following test in the LevelOneAndGraduateTest.t.sol file:

function testUnderflowReview() public schoolInSession {
// studentScore == 100, each bad review −10
for (uint256 i = 0; i < 10; i++) {
vm.warp(block.timestamp + levelOneProxy.reviewTime());
vm.prank(alice);
levelOneProxy.giveReview(harriet, false);
}
// next call underflows
vm.warp(block.timestamp + levelOneProxy.reviewTime());
vm.startPrank(alice);
vm.expectRevert();
levelOneProxy.giveReview(harriet, false);
vm.stopPrank();
}

Recommended Mitigation:

function giveReview(address _student, bool review) public onlyTeacher {
require(reviewCount[_student] < 5, "Student review count exceeded!!!");
require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");
+ reviewCount[_student] += 1;
if (!review) {
+ require(studentScore[_student] >= 10, "Score cannot go negative");
studentScore[_student] -= 10;
}
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

reviewCount not updated

`reviewCount` for students is not updated after each review session

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.