Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

CutOffScore Not Enforced

kweks

Summary

The graduateAndUpgrade function does not check if students meet the cutOffScore before proceeding with the upgrade. As a result, all students, regardless of whether they meet the required score, are carried over to the next level. This violates the protocol's core rule that only students who meet the score threshold should be allowed to graduate.

Vulnerability Details

The absence of a check to validate whether students have achieved the required cutOffScore allows the system to upgrade all students, even those who have not met the performance criteria. This can lead to protocol violations, such as underperforming students advancing to the next level without meeting the requirements.

Exploit Scenario:

Student A has a score of 50, while the cutOffScore is 70.
The principal calls the graduateAndUpgrade function.
Result: Student A is upgraded to the next level despite not meeting the required score, violating protocol rules and fairness.

Code Snippet: Vulnerable Path

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {

// ... session checks ...

// No validation of studentScore against cutOffScore

for (uint256 n = 0; n < totalTeachers; n++) {

usdc.safeTransfer(listOfTeachers[n], payPerTeacher);

}

_authorizeUpgrade(_levelTwo);

// ... upgrade proceeds for all students ...

}

Impact

Protocol Integrity: Allows underperforming students to advance, breaking the core rule that only students who meet the cutOffScore should progress.
Fairness: Students who do not meet the required standards are unjustly promoted, which undermines the fairness of the system.
Financial Accuracy: If students are wrongly promoted, it could lead to future financial miscalculations, as expelled students might still be included in fee calculations or other financial models related to the upgrade.

Tools Used

Manual review

Recommendations

To prevent unauthorized upgrades of students who do not meet the cutOffScore, the graduateAndUpgrade function should be modified to filter out students below the required score.

Recommended Fix:

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {

// ... session and review checks ...

// ========== CRITICAL FIX ========== //

// Track eligible students for upgrade

address[] memory eligibleStudents = new address[](listOfStudents.length);

uint256 eligibleCount = 0;

// Filter students meeting cutOffScore

for (uint256 i = 0; i < listOfStudents.length; i++) {

address student = listOfStudents[i];

if (studentScore[student] >= cutOffScore) {

eligibleStudents[eligibleCount] = student;

eligibleCount++;

} else {

isStudent[student] = false; // Expel student

emit Expelled(student); // Optional: Emit expulsion event

}

// Update listOfStudents with eligible students only

listOfStudents = eligibleStudents;

// ================================== //

// ... payment and upgrade logic ...

}

Key Fixes:

Filter Eligible Students:
- Loop through the list of students and retain only those whose studentScore is greater than or equal to cutOffScore.
Expel Unqualified Students:
- For students who do not meet the cutOffScore, set isStudent[student] = false, effectively expelling them from the system.
Update Student List:
- Replace listOfStudents with the new array eligibleStudents that only contains students who meet the required score.

Edge Cases & Considerations:

Gas Efficiency:
- Use a temporary array (eligibleStudents) to avoid performing expensive operations like repeatedly popping items from the original listOfStudents.
Storage Compatibility:
- Ensure that the new student list is compatible with the upgraded contract (LevelTwo) and properly reflects the eligibility of students.
Emitted Events:
- Consider emitting an Expelled event when a student is removed to ensure transparency in the process.

Why This Matters

Protocol Integrity: Enforcing the cutOffScore ensures only deserving students advance, maintaining the system’s trust and the integrity of the protocol.
Fairness: It guarantees that only students who have met the necessary academic requirements progress to the next level.
Financial Accuracy: By expelling students who don't meet the cutOffScore, the system ensures that future financial calculations (e.g., fees, payments) are accurate and based on the correct student list.

Recommendations

Post-Upgrade Initialization:
- In the LevelTwo contract, initialize the student list to ensure that only students who meet the cutoff are included in the new level.
Graduation Event:
- Emit a Graduated event for students who meet the cutOffScore to mark their successful progression.
Storage Gaps:
- Consider adding a uint256[50] __gap in the LevelOne contract to reserve storage slots for future upgrades and prevent potential storage issues.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

cut-off criteria not applied

All students are graduated when the graduation function is called as the cut-off criteria is not applied.

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.