Summary

The graduateAndUpgrade() function fails to enforce the requirement that all students must receive 4 weekly reviews before the system can upgrade. This violates a critical business rule and allows graduation decisions to be made on incomplete data.

Vulnerability Details

The system’s documentation states:

"System upgrade should not occur if any student has not gotten 4 reviews (one for each week)."

However, the current implementation of graduateAndUpgrade() does not check whether all enrolled students have received all 4 weekly reviews before proceeding. If the session has ended (block.timestamp >= sessionEnd), the upgrade can proceed regardless of student review completion.

Exploit Scenario:

1. A student enrolls and only receives 1 or 2 reviews.

2. The session ends.

3. The principal calls graduateAndUpgrade().

4. The upgrade proceeds — violating grading and reward logic.

Consequences:

• Incomplete or failed students may be accidentally or maliciously included in the upgrade logic.

• Teachers' rewards could be unfairly distributed (based on incomplete student performance).

• The core logic and trust model of Hawk High are undermined.

This is a violation of a core system invariant — a hallmark of a critical design bug.Impact

Impact

Severity: High

• Violates core business logic.

• Allows unauthorized or incorrect system upgrades.

• Undermines teacher/student reward logic and contract determinism.

• Potentially causes financial discrepancies in the bursary split.

• Breaks upgrade safety and trust guarantees promised by the system.

Tools Used

• Manual code inspection

• Invariant logic analysis

Recommendations

Strictly enforce the review requirement by adding a loop that reverts if any student has received fewer than 4 reviews:

This ensures the system upgrade only occurs when all student assessments are fully complete and prevents the upgrade from executing in an inconsistent state.