Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

`reviewCount` Not Incremented After Review — Violates Protocol Invariant

finn79426

Summary

The reviewCount mapping, which appears to track how many reviews a student has received, is never incremented within the giveReview() function. This makes the associated review count check (require(reviewCount[_student] < 5)) misleading and ineffective.

Vulnerability Details

Relevant code snippet:

require(reviewCount[_student] < 5, "Student review count exceeded!!!");

This line intends to enforce an upper limit on how many times a student can be reviewed. However, the function fails to update reviewCount[_student] after a review is given. This results in:

Students are potentially being reviewed indefinitely without hitting the limit.
Critical invariant — "Students must have gotten all reviews before system upgrade" — is impossible to validate.
Review-based upgrade logic is becoming unreliable or meaningless.

System Invariant (from provided spec):

"Students must have gotten all reviews before system upgrade. System upgrade should not occur if any student has not gotten 4 reviews (one for each week)."

Since the system depends on this count for upgrade eligibility, failing to increment it introduces a logical inconsistency and a potential for privilege abuse or system malfunction.

Impact

Protocol upgrade gating becomes unenforceable.
Violates the upgrade eligibility invariant.
Students may be upgraded prematurely or indefinitely blocked from valid progression.
Potential DoS or unfair certification due to untracked evaluations.

Tools Used

Manual Code Review

Recommendations

Add the following line at the end of the giveReview() function (before the emit):

function giveReview(address _student, bool review) public onlyTeacher {

if (!isStudent[_student]) {

revert HH__StudentDoesNotExist();

}

require(reviewCount[_student] < 5, "Student review count exceeded!!!")

require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");

// where `false` is a bad review and true is a good review

if (!review) {

studentScore[_student] -= 10;

}

// Update last review time

lastReviewTime[_student] = block.timestamp;

// Update review count

reviewCount[_student] += 1; // fix

emit ReviewGiven(_student, review, studentScore[_student]);

}

Updates

Lead Judging Commences

yeahchibyke Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

reviewCount not updated

`reviewCount` for students is not updated after each review session

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.