Submission Details
Impact:
Likelihood:
`LevelOne::graduateAndUpgrade` upgrades students that do not meet the cutoff mark
Summary
The graduateAndUpgrade function does not check if students meet cut off mark before upgrading them. Hence, it upgrades all students.
Impact
Breaks one of the system invariants
Tools Used
Manual Review
Recommendations
First, implement an internal function that filters out students who do not meet the cut off mark from listOfStudents array. Then, call the internal function in the upgrade function:
+ function _checkPassedStudents() internal {
+ address[] memory newList = new address[](listOfStudents.length);
+ uint256 passingCount = 0;
+ for (uint256 i = 0; i < listOfStudents.length; i++) {
+ if (studentScore[listOfStudents[i]] >= cutOffScore) {
+ newList[passingCount] = listOfStudents[i];
+ passingCount++;
+ } else {
+ isStudent[listOfStudents[i]] = false;
+ reviewCount[listOfStudents[i]] = 0;
+ }
+ }
+ // 2. Resize and reassign the listOfStudents array
+ delete listOfStudents;
+ for (uint256 j = 0; j < passingCount; j++) {
+ listOfStudents.push(newList[j]);
+ }
+ }
function graduateAndUpgrade(
address _levelTwo,
bytes memory
) public onlyPrincipal {
if (_levelTwo == address(0)) {
revert HH__ZeroAddress();
}
// implement check for student that meets cut off mark
+ _checkPassedStudents();
uint256 totalTeachers = listOfTeachers.length;
uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;
uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;
_authorizeUpgrade(_levelTwo);
for (uint256 n = 0; n < totalTeachers; n++) {
usdc.safeTransfer(listOfTeachers[n], payPerTeacher);
}
usdc.safeTransfer(principal, principalPay);
}
Rewards breakdown
nSLOC
243This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.