Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Breaking invariant - Incorrect review design

0xbc000

Summary

The review design is incorrect and it will breaks the invariant in 2 places


Vulnerability Details

1. No review count check during upgrade

In file LevelOne.sol function graduateAndUpgrade()

There's no check if 4 reviews are fulfilled for an individual student by checking reviewCount variable.

A principle can perform upgrade with no 4 reviews requirement.

function graduateAndUpgrade(
address _levelTwo,
bytes memory
) public onlyPrincipal {
if (_levelTwo == address(0)) {
revert HH__ZeroAddress();
}
uint256 totalTeachers = listOfTeachers.length;
uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;
uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;
_authorizeUpgrade(_levelTwo);
for (uint256 n = 0; n < totalTeachers; n++) {
usdc.safeTransfer(listOfTeachers[n], payPerTeacher);
}
usdc.safeTransfer(principal, principalPay);
}

Missing update reviewCount during giveReview() function

In the giveReview function, it is missing to update the reviewCount when a teacher giving student a review.

This will cause the system cannot log the correct review count for a student and break the business logic.


Impact

Invariant breaking -- Students must have gotten all reviews before system upgrade. System upgrade should not occur if any student has not gotten 4 reviews (one for each week)


Tools Used

Manual review


Recommendations

Considering updating the reviewCount within the giveReview() function

function giveReview(address _student, bool review) public onlyTeacher {
if (!isStudent[_student]) revert HH__StudentDoesNotExist();
require(reviewCount[_student] < 4, "Student review count exceeded!!!");
require(
block.timestamp >= lastReviewTime[_student] + reviewTime,
"Reviews can only be given once per week"
);
...
// count the reviews
reviewCount[_student] += 1;
...
function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal onlyAfterSession {
if (_levelTwo == address(0)) revert HH__ZeroAddress();
+ // make sure every student has 4 reviews or more
+ for (uint i = 0; i < listOfStudents.length; i++) {
+ address stu = listOfStudents[i];
+ if (reviewCount[stu] >= 4,) {
delete listOfStudents[i];
}
+ }
_authorizeUpgrade(_levelTwo);
....
Updates

Lead Judging Commences

yeahchibyke Lead Judge
6 months ago
yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

reviewCount not updated

`reviewCount` for students is not updated after each review session

cut-off criteria not applied

All students are graduated when the graduation function is called as the cut-off criteria is not applied.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.