Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Review Count Not Tracked

kweks

Summary

The giveReview function does not track the number of reviews submitted for each student. This allows teachers to submit an unlimited number of reviews, potentially manipulating student scores and violating the invariant that each student should only receive exactly 4 reviews (one per week) before the system can be upgraded. Without tracking the review count, students could be graduated or expelled based on incomplete or inflated review data.

Vulnerability Details

In the current implementation of giveReview, the review count (reviewCount[_student]) is never incremented. This oversight means the function will allow an unlimited number of reviews to be given to a student, which could lead to the following issues:

  • Teachers could submit excessive negative reviews (e.g., 10 bad reviews) without being stopped.

  • The reviewCount[_student] is always less than 5, bypassing the review limit and allowing manipulative behavior.

  • Students may receive inaccurate final scores, potentially leading to wrongful graduations or expulsions based on incomplete data.

Example:

  • Exploit Scenario:

    • Teacher calls giveReview for a student 10 times in Week 1.

    • reviewCount[_student] never increments, so all 10 reviews are accepted.

    • The student's score drops to 0 due to 10 bad reviews, leading to unfair expulsion.

Code Snippet: Vulnerable Path:

function giveReview(address _student, bool review) public onlyTeacher {
// ... checks ...
require(reviewCount[_student] < 5, "Student review count exceeded!!!"); // Never incremented → always <5
require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");
if (!review) {
studentScore[_student] -= 10;
}
lastReviewTime[_student] = block.timestamp;
// Missing: reviewCount[_student]++
}

Impact

  • Data Integrity: The system cannot guarantee that students will receive exactly 4 reviews, which undermines the integrity of the review process.

  • Malicious Exploitation: Teachers could spam reviews to manipulate student scores, resulting in unfair graduations or expulsions.

  • Protocol Invariant Violation: The protocol's invariant that students must receive exactly 4 reviews before being graduated or expelled is not enforced, breaking the system's logic and expectations.

  • Misleading Data: Without proper review tracking, the graduation process could either fail to complete or be executed unfairly.

Tools Used

Manual review

Recommendations

The fix for this issue involves tracking the review count for each student, limiting the number of reviews to 4, and ensuring reviews are aligned with the session weeks. Additionally, a check should be added in the graduateAndUpgrade function to enforce that all students have received exactly 4 reviews before the system can be upgraded.

Recommended Fix:

function giveReview(address _student, bool review) public onlyTeacher {
require(isStudent[_student], "Student does not exist");
require(reviewCount[_student] < 4, "Max 4 reviews"); // 0-3 allowed (4 total)
require(block.timestamp >= sessionStart + (reviewCount[_student] + 1) * 1 weeks, "Week not ended"); // Time check per week
if (!review) {
studentScore[_student] -= 10;
}
reviewCount[_student]++; // Track reviews
emit ReviewGiven(_student, review, studentScore[_student]);
}
function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
// Ensure all students have received exactly 4 reviews before upgrading
for (uint256 i = 0; i < listOfStudents.length; i++) {
address student = listOfStudents[i];
require(reviewCount[student] == 4, "Incomplete reviews"); // Enforce 4 reviews
}
// Proceed with the upgrade logic...
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

reviewCount not updated

`reviewCount` for students is not updated after each review session

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.