Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: low
Invalid

Principal Can Manipulate Teacher Payments Through Fake Accounts

mimis

Summary

The principal can inflate teacher count by adding fake accounts, allowing them to capture more of the bursary funds.

Vulnerability Details

Root cause:

function addTeacher(address _teacher) public onlyPrincipal notYetInSession {
// No limit on number of teachers
listOfTeachers.push(_teacher);
isTeacher[_teacher] = true;
}

Initial State:

  • Principal has unlimited teacher addition power

  • Teacher wage is 35% of bursary

Step 1: Principal creates multiple wallet addresses
Step 2: Adds fake teachers using these addresses
Step 3: Captures larger share of bursary through fake accounts

Implications:

  • Fraudulent distribution of funds

  • Reduced legitimate teacher compensation

  • System manipulation

Impact

  • Financial loss for legitimate teachers

  • Compromised reward system

  • Trust issues in the platform

Tools Used

Manual Review

Recommendations

Implement strict teacher limits and verification:

uint256 public constant MAX_TEACHERS = 10;
function addTeacher(address _teacher) public onlyPrincipal notYetInSession {
require(listOfTeachers.length < MAX_TEACHERS, "Max teachers reached");
require(verifyTeacherCredentials(_teacher), "Invalid credentials");
// ...existing code...
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

mimis Submitter
2 months ago
yeahchibyke Lead Judge
about 2 months ago
yeahchibyke Lead Judge
about 2 months ago
yeahchibyke Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.