Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Missing Input Validation for `_cutOffScore` in `startSession`

edoscoba

Summary

This report identifies a missing input validation in the startSession() function of the LevelOne.sol contract. The _cutOffScore parameter, which determines the minimum score required for students to graduate, is not validated. This allows the principal to set a _cutOffScore that could be 0 or an unachievably high value (e.g., greater than 100, given current scoring mechanics). Such values can lead to unintended graduation outcomes, either making graduation trivial or impossible, undermining the integrity of the academic assessment process.

Vulnerability Details / Issue Description

The startSession(uint256 _cutOffScore) function is called by the principal to begin a new school session and set the graduation threshold.

// From LevelOne.sol

function startSession(uint256 _cutOffScore) public onlyPrincipal notYetInSession {

sessionEnd = block.timestamp + 4 weeks;

inSession = true;

cutOffScore = _cutOffScore; // _cutOffScore is not validated

emit SchoolInSession(block.timestamp, sessionEnd);

}

The contract's scoring mechanism is as follows:

Students enroll() and studentScore is initialized to 100.
The giveReview(address _student, bool review) function, when review is false (bad review), executes studentScore[_student] -= 10;. There is no mechanism to increase the score.
If _cutOffScore is not validated:

**If _cutOffScore is set to 0:**Students would only fail to graduate if their score drops below 0. Given scores start at 100 and decrease by 10 per bad review, this would require more than 10 bad reviews. With a maximum of 4 reviews per student (implied by reviewCount[_student] < 5 and weekly reviews over 4 weeks), the lowest score a student could realistically get is 60 (100 - 4*10). Thus, a cutOffScore of 0 would likely result in all students graduating, regardless of performance
If _cutOffScore is set to a value greater than 100 (e.g., 101): Since student scores start at 100 and can only decrease, no student would ever be able to meet this cutOffScore, making graduation impossible for everyone.

Impact

Undermining Academic Integrity: Allows the cutOffScore to be set to levels that do not reflect a meaningful academic standard, making graduation either too easy or impossible.
Unfair Outcomes: Depending on the chosen _cutOffScore, the system could lead to outcomes that are unfair to students or devalue the concept of graduation within Hawk High.
Violation of Implicit Expectations: Users would expect the cutOffScore to be a reasonable and achievable, yet challenging, benchmark. The lack of validation allows this expectation to be violated.

Tools Used

Manual Code Review

Recommendations

Implement input validation for the _cutOffScore parameter in the startSession function. The validation should ensure that the _cutOffScore is set to a value that is:

Greater than zero (to ensure some level of achievement is required).
Less than or equal to the maximum possible score (currently 100, as scores only decrease from this initial value).

Updates

Lead Judging Commences

yeahchibyke Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.