A critical logic flaw in the LevelOne
smart contract causes all funds paid as "bursary" (student enrollment fees) to be permanently locked in the contract if the graduateAndUpgrade()
function is never called. This results in irretrievable loss of user funds and renders the bursary system nonfunctional.
The bursary
is a shared pool of enrollment fees collected from students in the USDC via the enroll()
function:
However, the bursary is only ever utilized within the graduateAndUpgrade()
function:
If this function is not called — either due to upgrade failure, poor timing, misconfiguration, or intentional design choice — the bursary funds are permanently stuck in the contract with no alternate path for recovery or withdrawal.
Loss of Funds: Student USDC deposits (bursary) become unrecoverable.
Loss of Trust: Users may lose confidence in the system due to inaccessible funds.
Manual Review
Separate fund distribution logic from the upgrade mechanism:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.