Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

graduateAndUpgrade() lacks logic to exclude unqualified students from promotion

hexspectre

Summary

According to the protocol rules:

“Any student who doesn't meet the cutOffScore should not be upgraded.”
“Students must have gotten all reviews before system upgrade.”

However, in the current implementation, the graduateAndUpgrade() function:

Does not check if each student met the cutOffScore
Simply upgrades the system, preserving the entire listOfStudents without filtering

This violates the system's intended business logic and breaks the “graduation” invariant.

Vulnerability Details

Current graduateAndUpgrade() implementation:

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {

...

_authorizeUpgrade(_levelTwo);

...

}

There is:

❌ No check on reviewCount[_student]
❌ No check on studentScore[_student]
❌ No removal of students below cutoff

This allows:

Students who should have failed to be preserved in storage
LevelTwo to inherit invalid state, making metrics meaningless
Potential economic or governance bugs in more complex versions

Impact

Breaks the expected graduation process
Invalid students persist in the upgraded contract
May misrepresent cohort data and future payout logic
Fails the system's core education + performance requirement

Tools Used

Manual source code audit
Logic reasoning

Recommendations

Implement a loop before the upgrade call that:

Checks each student has received 4 reviews
Compares their score with cutOffScore
Expels the student if conditions are not met

Example fix:

for (uint256 i = listOfStudents.length; i > 0; i--) {

address student = listOfStudents[i - 1];

if (reviewCount[student] < 4 || studentScore[student] < cutOffScore) {

listOfStudents[i - 1] = listOfStudents[listOfStudents.length - 1];

listOfStudents.pop();

isStudent[student] = false;

emit Expelled(student);

}

Place this loop just before calling _authorizeUpgrade.

This guarantees that only valid, fully-reviewed, and passing students make it into LevelTwo.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

cut-off criteria not applied

All students are graduated when the graduation function is called as the cut-off criteria is not applied.

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.