Hawk High

First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Submission Details
Impact: medium
Likelihood: medium
Invalid

Permanent Lock of Bursary Funds in LevelOne Contract

Summary

A critical logic flaw in the LevelOne smart contract causes all funds paid as "bursary" (student enrollment fees) to be permanently locked in the contract if the graduateAndUpgrade() function is never called. This results in irretrievable loss of user funds and renders the bursary system nonfunctional.

Vulnerability Details

The bursary is a shared pool of enrollment fees collected from students in the USDC via the enroll() function:

usdc.safeTransferFrom(msg.sender, address(this), schoolFees);
bursary += schoolFees;

However, the bursary is only ever utilized within the graduateAndUpgrade() function:

uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;
uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;
... usdc.safeTransfer(listOfTeachers[n], payPerTeacher);
usdc.safeTransfer(principal, principalPay);

If this function is not called — either due to upgrade failure, poor timing, misconfiguration, or intentional design choice — the bursary funds are permanently stuck in the contract with no alternate path for recovery or withdrawal.

Impact

Loss of Funds: Student USDC deposits (bursary) become unrecoverable.

Loss of Trust: Users may lose confidence in the system due to inaccessible funds.

Tools Used

Manual Review

Recommendations

Separate fund distribution logic from the upgrade mechanism:

Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.