Submission Details
Impact:
Likelihood:
Teacher Payment Without Activity Verification
Summary
Teachers receive payment automatically without verification of their teaching activity or contribution.
Vulnerability Details
Root cause:
function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;
// No activity check before payment
for (uint256 n = 0; n < totalTeachers; n++) {
usdc.safeTransfer(listOfTeachers[n], payPerTeacher);
}
}
Initial State:
All teachers receive equal pay
No activity tracking
No contribution requirements
Step 1: Inactive teachers added to system
Step 2: Session ends
Step 3: All teachers paid equally
Step 4: Funds distributed unfairly
Impact
Financial waste
Unfair compensation
Demotivates active teachers
Rewards inactive participants
Tools Used
Manual Review
Recommendations
mapping(address => uint256) public teacherActivity;
function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
require(block.timestamp >= sessionEnd, "Session not ended");
for (uint256 n = 0; n < totalTeachers; n++) {
address teacher = listOfTeachers[n];
require(teacherActivity[teacher] >= MIN_ACTIVITY, "Inactive teacher");
uint256 payPerTeacher = (bursary * TEACHER_WAGE * teacherActivity[teacher])
/ (PRECISION * TOTAL_ACTIVITY);
usdc.safeTransfer(teacher, payPerTeacher);
}
}
Rewards breakdown
nSLOC
243This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.