Description: LevelOne::graduateAndUpgrade
does not verify that the current block timestamp has reached the scheduled 'sessionEnd' (which should be set to start + 4 weeks). Without a 'require(block.timestamp >= sessionEnd)' guard, the principal can prematurely call graduation logic at any time.
Impact: A principal can graduate and pay out students and teachers before the full 4-week session has elapsed, completely circumventing the intended duration requirement. This allows under-reviewed students to advance, accelerates payouts improperly, and breaks the core business rule that each session must run its full term.
Proof of Concept: Include the following test in the LevelOneAndGraduateTest.t.sol
file:
Recommended Mitigation: Add a timestamp check at the top of graduateAndUpgrade to enforce the 4-week session length:
`graduateAndUpgrade()` can be called successfully even when the school session has not ended
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.