Submission Details
Impact:
Likelihood:
Teacher can manipulate the review and score of students .
Summary
In function giveReview in contract levelOne . Teacher can manipulate the score of students by giving them false review .
Vulnerability Details
In function giveReview in contract levelOne . Teacher can manipulate the score of students by giving them false review .
if (!review) { // q teacher can give bad review and deduct the score and can alter class result
studentScore[_student] -= 10;
}
function giveReview(address _student, bool review) public onlyTeacher {
if (!isStudent[_student]) {
revert HH__StudentDoesNotExist();
}
require(reviewCount[_student] < 5, "Student review count exceeded!!!");
require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");
// where `false` is a bad review and true is a good review
if (!review) {
studentScore[_student] -= 10;
}
// Update last review time
lastReviewTime[_student] = block.timestamp;
emit ReviewGiven(_student, review, studentScore[_student]);
}
Impact
Teacher can alter the class result according to their wish . Making some student get benifit from this. If total student is 5 and teacher give false review to 4 student , then 5th student will get the benifit .
Tools Used
Manual review
Recommendations
Make the review giving automatic , by storing the previous data or by scored marks .
Rewards breakdown
nSLOC
243This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.