Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Arithmetic Error leads to Overpayment due to multiplication logic

mosmoker

Summary

this is a critical business logic caused due to Arithmetic Error calculation, where the earning of Teachers must be 35% of all school fees paid but the logic to perform this process is implemented incorrectly causing to give each Teacher a complete 35% of all school fees paid instead of sharing a 35% of all fees among teachers. This is a critical flaw because if the total teachers exists >= 3 teachers then the total money received will equal : 3 × 35% = 105%, which exceeds the total fees collected, causing the LevelOne::graduateAndUpgrade function to revert and no one will be collected with their wage not even the Principal .

Vulnerability Details

1- Navigate to test/LeveOnelAndGraduateTest.t.sol file.

2- Add the following PoC code to the test file:

function testEachTeacherTake35PercentOfAllFees() public {

_teachersAdded();

_studentsEnrolled();

// address teacher3 = makeAddr("teacher3");

// vm.prank(principal);

// levelOneProxy.addTeacher(teacher3);

address[] memory teachers = levelOneProxy.getListOfTeachers();

address levelTwo = makeAddr("levelTwo");

bytes memory data = abi.encodeCall(LevelTwo.graduate, ());

vm.prank(principal);

// vm.expectRevert();

levelOneProxy.graduateAndUpgrade(levelTwo, data);

console2.log("Total school Fees : ", levelOneProxy.bursary() / 1e18);

console2.log("principal : ", usdc.balanceOf(principal) / 1e18);

console2.log("alice : ", usdc.balanceOf(teachers[0]) / 1e18);

console2.log("bob : ", usdc.balanceOf(teachers[1]) / 1e18);

// console2.log("teacher 3 : ", usdc.balanceOf(teachers[2]));

}

3- In the command line, run the following command: forge test --match-test testEachTeacherTake35PercentOfAllFees -vvv

4- Note the output :

Total school Fees : 30000

principal : 1500

alice : 10500

bob : 10500

The balance of both alice and bob is 35% of Total school Fees For each.

5- Now change the content of this function and uncomment all the comments in this function (This would add a third teacher). The output will be like this:

Total school Fees : 30000

principal : 0

alice : 0

bob : 0

teacher 3 : 0

Note the transaction has been reverted and no one get paid.

Impact

payout function & graduate/update function LevelOne::graduateAndUpgrade which is the most critical function for the Principal & Teachers to get paid and for Students to graduate to become unusable.

Tools Used

Manual Recon.
foundry Test Suite.

Recommendations

in the LevelOne::graduateAndUpgrade function the Arithmetic flow for the Teachers to get their wage should be as following:

uint256 totalTeachers = listOfTeachers.length;

+ uint256 payPerTeacher = ((bursary * TEACHER_WAGE) / PRECISION) / totalTeachers;

Updates

Lead Judging Commences

yeahchibyke Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

incorrect teacher pay calculation

`payPerTeacher` in `graduateAndUpgrade()` is incorrectly calculated.

yeahchibyke Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

incorrect teacher pay calculation

`payPerTeacher` in `graduateAndUpgrade()` is incorrectly calculated.

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.