Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Teacher can claim N times more than his deserved wage (with N being the total number of teachers) instead of his share from the 35% teachers wage.

0xkujen

Summary

The teacher is able to claim more than his deserved wage (exactly N times more with N being the total number of teachers).

Vulnerability Details

In the LevelOne.sol contract, the teacherWage is specified as follows:

uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;

Where the amount is not being divided by the total number of teacher, which in this case, allows the teacher to claim N times more than his salary.

Example:

If we have 2 teachers alice and bob with a totaly bursery balance of 30k USDC, alice will be claiming 10500 USDC (35%) instead of just 5250 USDC (35% / 2= 17.5%).

Proof of Concept:

function testTeacherCanGetMoreThanHisShare() public {

_studentsEnrolled();

levelTwoImplementation = new LevelTwo();

levelTwoImplementationAddress = address(levelTwoImplementation);

bytes memory data = abi.encodeCall(LevelTwo.graduate, ());

vm.startPrank(principal);

levelOneProxy.addTeacher(alice);

levelOneProxy.addTeacher(bob);

levelOneProxy.startSession(70);

uint256 bursaryValueBeforeGraduation=levelOneProxy.bursary();

levelOneProxy.graduateAndUpgrade(levelTwoImplementationAddress, data);

LevelTwo levelTwoProxy = LevelTwo(proxyAddress);

//uint256 bursaryValueAfterGraduation=usdc.balanceOf(address(levelTwoProxy));

vm.stopPrank();

uint256 aliceBalanceAfterGraduation=usdc.balanceOf(alice);

uint256 bobBalanceAfterGraduation=usdc.balanceOf(bob);

uint256 correctTeacherWage=(((bursaryValueBeforeGraduation * 35 ) / 100 )/ levelTwoProxy.getTotalTeachers());

//uint256 expectedTeacherWage=(levelTwoProxy.bursary() * levelOneProxy.TEACHER_WAGE()) / levelOneProxy.PRECISION();

vm.expectRevert();

assertEq(aliceBalanceAfterGraduation, correctTeacherWage);

vm.expectRevert();

assertEq(bobBalanceAfterGraduation, correctTeacherWage);

}

Impact

Teachers can acquire more than they deserve from the bursary balance which can lead to:

Graduation and upgrading function reverting due to no more funds to give to other teacher/principal.
Loss of funds

Tools Used

Manual source code review

Recommendations:

Update the payPerTeacher variable inside the graduateAndUpgrade function to:

uint256 payPerTeacher = ((bursary * TEACHER_WAGE) / PRECISION) / totalTeachers;

Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

incorrect teacher pay calculation

`payPerTeacher` in `graduateAndUpgrade()` is incorrectly calculated.

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.