Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing Student Qualification Check in Graduation Process

mishoko

Summary

The LevelOne contract lacks a proper mechanism to automatically filter out students who don't meet the cutoff score during graduation. According to the project requirements, "Any student who doesn't meet the cutOffScore should not be upgraded" when the Principal upgrades the system. However, the current implementation of graduateAndUpgrade() does not include this critical logic, forcing the Principal to manually track failing students and expel them one by one - an impractical and error-prone process.

Vulnerability Details

The graduateAndUpgrade() function in LevelOne.sol handles the upgrade process but doesn't implement the filtering of students based on their scores:

The function:

Performs the upgrade to the new implementation
Distributes wages to teachers and principal
But does not filter students based on their scores

This omission forces the Principal to use the expel() function individually for each failing student, which is:

Highly manual and time-consuming
Prone to human error (students might be incorrectly promoted or expelled)
Difficult to scale with a large number of students

Impact

This vulnerability fundamentally undermines the academic progression model of the system:

Academic Integrity: All students automatically progress regardless of performance, eliminating accountability and incentives to maintain good academic standing
Manual Overhead: The Principal must track scores offline and manually expel each failing student, creating significant operational overhead
Inconsistent Application: Manual expulsion increases the risk of inconsistent application of academic standards
System State Inconsistency: If the Principal forgets to expel failing students before upgrading, those students will incorrectly progress to the next level

This issue is particularly severe because it contradicts an explicit invariant of the system stated in the README: "Any student who doesn't meet the cutOffScore should not be upgraded".

Proof of Concept

failing students are not automatically filtered during graduation.

Tools Used

Manual code review
Analysis of contract logic against system requirements

Recommendations

Implement automatic student filtering in the graduateAndUpgrade() function

Updates

Lead Judging Commences

yeahchibyke Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

cut-off criteria not applied

All students are graduated when the graduation function is called as the cut-off criteria is not applied.

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.