Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Missing Review Time Controls Enables Review Spam

mimis

Summary

Teachers can give reviews to students without proper time-based /day-based constraints, allowing potential review spam and score manipulation.

Vulnerability Details

Root cause:

function giveReview(address _student, bool review) public onlyTeacher {
// Time check exists but reviewCount never increments
require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");
// ...existing code...
}

Initial State:

  • Teacher has review permissions

  • Weekly time limit exists but no review count increment

Step 1: Teacher gives review as many times as possible in a day or in just one week
Step 2: Waits one week
Step 3: Can give another review indefinitely
Step 4: Can manipulate student scores through repeated negative reviews

Implications:

  • Student scores can be unfairly reduced

  • No limit on total reviews

  • System open to abuse

Impact

  • Score manipulation possible

  • Unfair grading system

  • Student grades can be maliciously reduced

  • No protection against targeted harassment

Tools Used

Manual Review

Recommendations

function giveReview(address _student, bool review) public onlyTeacher {
require(inSession, "Not in session");
require(block.timestamp <= sessionEnd, "Session ended");
require(reviewCount[_student] < 5, "Max reviews reached");
require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Too soon");
reviewCount[_student]++;
// ...existing code...
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

session state not updated

`inSession` not updated after during upgrade

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.