Hawk High

First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Submission Details
Severity: low
Valid

Principal can be added as Teacher

Summary

There is no check in addTeacher function if input address is currently the address of the Principal.

Vulnerability Details

Adding Principal as Teacher causes the principal to receive his 5% and payment for Teacher.

Proof of Concept:

function _teachersAdded() internal {
vm.startPrank(principal);
levelOneProxy.addTeacher(principal); // Adding the Principal as Teacher address by accident or no
levelOneProxy.addTeacher(bob);
vm.stopPrank();
}

GitHub Link: LeveOnelAndGraduateTest.t.sol

As we can see after adding the Principal as a Teacher and run the test
we observe that the Principal receives his part of the payment + the part for a teacher.

tests

Impact

  • Also this gives him full rights as the Teachers.

  • Malicious Principal (if it's possible for Principal to be malicious) can maximise his rewards by using his advantage to be the both roles at the same time
    and remove part of the teachers or all except him.

Tools Used

Manual Review

Recommendations

Adding a check in addTeacher solves the issue - the Principal address prevented from participating as Teacher.

GitHub Link: LevelOne.sol

function addTeacher(address _teacher) public onlyPrincipal notYetInSession {
if (_teacher == address(0)) {
revert HH__ZeroAddress();
}
if (isTeacher[_teacher]) {
revert HH__TeacherExists();
}
if (isStudent[_teacher]) {
revert HH__NotAllowed();
}
+ if (principal == _teacher) {
+ revert HH__NotAllowed();
+ }
listOfTeachers.push(_teacher);
isTeacher[_teacher] = true;
emit TeacherAdded(_teacher);
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

principal can become teacher

Principal can add themselves as teacher and share in teacher pay upon graduation

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.