Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Teacher Overpayment Logic Exceeds Budget Cap

kweks

Summary

The graduateAndUpgrade function incorrectly calculates teacher payments by allocating 35% of the bursary to each teacher rather than splitting the 35% evenly among all teachers. This overpayment can quickly drain the bursary beyond its intended allocation, leading to insufficient funds for the remaining protocol requirements (such as student payouts). This misallocation could result in a major financial imbalance, potentially allowing malicious manipulation of the teacher list to exploit the system.

Vulnerability Details

The function currently calculates the payment per teacher as 35% of the bursary for each teacher individually, instead of splitting that 35% equally among all teachers.

  • Intended behavior: 35% of the bursary should be distributed equally among all teachers.

  • Actual behavior: 35% of the bursary is allocated per teacher, resulting in overpayment when there are multiple teachers.

Example:

  • Bursary = 1000 USDC

  • Number of Teachers = 2

  • Intended Payment per Teacher = 175 USDC (35% split between 2 teachers)

  • Actual Payment per Teacher = 350 USDC (35% for each teacher, 700 USDC total)

This overpayment drains the bursary by 70% instead of the intended 35%.

Code Snippet: Vulnerable Path:

uint256 totalTeachers = listOfTeachers.length;
uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION; // 🚨 35% per teacher
for (uint256 n = 0; n < totalTeachers; n++) {
usdc.safeTransfer(listOfTeachers[n], payPerTeacher); // Each teacher gets 35%
}

Impact

  • Financial Imbalance: Overpays teachers beyond the 35% bursary allocation, potentially leaving no funds for other participants, such as students or the principal.

  • Protocol Breach: Violates the expected payment structure of 5% for the principal, 35% for teachers, and 60% for students, creating an unfair distribution.

  • Exploitability: Malicious actors could exploit the flaw by adding fake teachers, draining the bursary and breaking the integrity of the financial system.

  • Reentrancy Risk: Failing to update the bursary after payments could leave it vulnerable to reentrancy attacks, where attackers could withdraw funds multiple times.

Tools Used

Manual review

Recommendations

To fix this issue, the code should ensure that 35% of the bursary intended for teachers is divided equally among all active teachers. Additionally, the bursary should be updated after payments to prevent double-spending and reduce the risk of reentrancy attacks.

Recommended Fix:

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
// Ensure session has ended and check for active teachers
require(block.timestamp >= sessionEnd, "Session not ended");
require(sessionEnd != 0, "Session not started");
uint256 totalTeachers = listOfTeachers.length;
uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;
uint256 teachersShare = (bursary * TEACHER_WAGE) / PRECISION;
// Pay principal
usdc.safeTransfer(principal, principalPay);
// Pay teachers (only if there are teachers)
if (totalTeachers > 0) {
uint256 payPerTeacher = teachersShare / totalTeachers; // Split 35% equally
for (uint256 n = 0; n < totalTeachers; n++) {
usdc.safeTransfer(listOfTeachers[n], payPerTeacher);
}
}
// Deduct distributed amounts to prevent double-spending
bursary -= (principalPay + teachersShare);
// Upgrade logic continues...
}

Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

incorrect teacher pay calculation

`payPerTeacher` in `graduateAndUpgrade()` is incorrectly calculated.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.