Submission Details
Impact:
Likelihood:
Missing `schoolFees` input data in `enroll` function in contract `levelOne`
Summary
Missing Input data in enroll function in levelOne.sol . schoolFess input is missing , User can enroll in the session without providing the school fees .
Vulnerability Details
Missing schoolFees Input data in enroll function in levelOne.sol . schoolFess input is missing , User can enroll in the session without paying the school fees .
function enroll() external notYetInSession {
if (isTeacher[msg.sender] || msg.sender == principal) {
revert HH__NotAllowed();
}
if (isStudent[msg.sender]) {
revert HH__StudentExists();
}
usdc.safeTransferFrom(msg.sender, address(this), schoolFees);
listOfStudents.push(msg.sender);
isStudent[msg.sender] = true;
studentScore[msg.sender] = 100;
bursary += schoolFees; // q we havent taken the input of school fees and not checked for it
emit Enrolled(msg.sender);
}
Impact
User can enroll in the session without paying the schoolFees and it can cause contract to loose fund, becouse more unwanted users can enrol in it .
Tools Used
Manual review
Recommendations
Take the input parameter of schoolFees
function enroll(uint256 _schoolFees) external notYetInSession {
if (isTeacher[msg.sender] || msg.sender == principal) {
revert HH__NotAllowed();
}
if (isStudent[msg.sender]) {
revert HH__StudentExists();
}
usdc.safeTransferFrom(msg.sender, address(this), _schoolFees);
listOfStudents.push(msg.sender);
isStudent[msg.sender] = true;
studentScore[msg.sender] = 100;
bursary += _schoolFees;
emit Enrolled(msg.sender);
}
Rewards breakdown
nSLOC
243This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.