Hawk High

First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Submission Details
Severity: low
Valid

Missing Session Duration Enforcement

Description: LevelOne::graduateAndUpgrade does not verify that the current block timestamp has reached the scheduled 'sessionEnd' (which should be set to start + 4 weeks). Without a 'require(block.timestamp >= sessionEnd)' guard, the principal can prematurely call graduation logic at any time.

Impact: A principal can graduate and pay out students and teachers before the full 4-week session has elapsed, completely circumventing the intended duration requirement. This allows under-reviewed students to advance, accelerates payouts improperly, and breaks the core business rule that each session must run its full term.

Proof of Concept: Include the following test in the LevelOneAndGraduateTest.t.sol file:

function testGraduateBeforeFourWeeks() public schoolInSession {
vm.warp(block.timestamp + 1 weeks);
vm.prank(alice);
levelOneProxy.giveReview(harriet, true);
levelTwoImplementation = new LevelTwo();
levelTwoImplementationAddress = address(levelTwoImplementation);
// attempt to graduate early — currently succeeds but should revert
vm.prank(principal);
levelOneProxy.graduateAndUpgrade(levelTwoImplementationAddress, "");
// the session-duration invariant bypassed
assertTrue(true);
}

Recommended Mitigation: Add a timestamp check at the top of graduateAndUpgrade to enforce the 4-week session length:

function graduateAndUpgrade(address _levelTwo, bytes memory data) public onlyPrincipal {
{
+ require(block.timestamp >= sessionEnd, "Session not ended");
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

can graduate without session end

`graduateAndUpgrade()` can be called successfully even when the school session has not ended

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.