Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Cutoff Value Set to Zero and Never Used Allows All Students to Graduate, Breaking System Invariant.

batblock

Summary

If the cutoffscore value is set to zero, it allows all students to graduate, bypassing the intended checks and breaking the system's invariant, which should only allow students to graduate once certain conditions are met.

Vulnerability Details

The cutoffscore value, which is part of the graduation condition, can be mistakenly set to zero. This results in all students meeting the graduation requirement, as the cutoff is used to determine if the student should graduate. When set to zero, every student's score would automatically qualify them for graduation, breaking the intended logic and potentially allowing unauthorized graduations.

POC:

Add this code in LevelOneAndGraduateTest.t.sol

function testCutOffScoreCanbeZero() public {

vm.prank(principal);

levelOneProxy.startSession(0);

uint256 bursaryBeforeUpgrade = levelOneProxy.bursary();

levelTwoImplementation = new LevelTwo();

levelTwoImplementationAddress = address(levelTwoImplementation);

bytes memory data = abi.encodeCall(LevelTwo.graduate, ());

vm.prank(principal);

levelOneProxy.graduateAndUpgrade(levelTwoImplementationAddress, data);

LevelTwo levelTwoProxy = LevelTwo(proxyAddress);

console2.log(levelTwoProxy.bursary());

console2.log(bursaryBeforeUpgrade,"before");

}

Impact

All students could graduate regardless of their actual performance, leading to a significant integrity issue within the system.

This could undermine the entire grading and progression mechanism, allowing students who haven’t met the necessary requirements to be considered graduated.

Tools Used

Foundry

Recommendations

Ensure that the cutoff value is validated before being set, and that it cannot be zero.
Implement a check for valid cutoff values and add a default minimum value (e.g., 1) to avoid zero cutoff.
Consider adding a fallback mechanism to handle edge cases like this where the value is unexpectedly zero.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.