Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Broken Review Tracking

jayx

Summary

The review tracking system is fundamentally broken as the reviewCount variable is never incremented when reviews are given.

Vulnerability Details

In the giveReview function, there's a check that limits students to less than 5 reviews, but the reviewCount counter is never incremented:


function giveReview(address _student, bool review) public onlyTeacher {
// ...
require(reviewCount[_student] < 5, "Student review count exceeded!!!");
require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");
// where `false` is a bad review and true is a good review
if (!review) {
studentScore[_student] -= 10;
}
// Update last review time
lastReviewTime[_student] = block.timestamp;
// Missing: reviewCount[_student]++ to increment the counter
emit ReviewGiven(_student, review, studentScore[_student]);
}

Below is the test case that demonstrates this vulnerability:

POC (PROOF OF CONCEPT)

Add this test in the LeveOnelAndGraduateTest.t:

function testBrokenReviewCount() public schoolInSession {
vm.warp(block.timestamp + 1 weeks + 1);
// Give first review
vm.startPrank(alice);
levelOneProxy.giveReview(clara, true);
vm.stopPrank();
// Wait a week
vm.warp(block.timestamp + 1 weeks + 1);
// Give second review
vm.startPrank(alice);
levelOneProxy.giveReview(clara, true);
vm.stopPrank();
// Wait a week
vm.warp(block.timestamp + 1 weeks + 1);
// Give third review
vm.startPrank(alice);
levelOneProxy.giveReview(clara, true);
vm.stopPrank();
// Wait a week
vm.warp(block.timestamp + 1 weeks + 1);
// Give fourth review
vm.startPrank(alice);
levelOneProxy.giveReview(clara, true);
vm.stopPrank();
// Wait a week
vm.warp(block.timestamp + 1 weeks + 1);
// Try to give a fifth review - this should fail if review count was properly tracked
// But it will succeed because reviewCount is never incremented
vm.startPrank(alice);
// Should fail with "Student already has 4 reviews" if tracking worked
// But will succeed because the counter is never incremented
levelOneProxy.giveReview(clara, true);
vm.stopPrank();
// Now try a sixth review to prove we can give unlimited reviews
vm.warp(block.timestamp + 1 weeks + 1);
vm.startPrank(alice);
levelOneProxy.giveReview(clara, true);
vm.stopPrank();
}

As we can see we can give any amount of reviews as the reviewCountnever increases.

Impact

Review counting system is broken

  • Students could receive unlimited reviews, violating the "one review per week" constraint

  • Makes it impossible to track if students have received exactly 4 reviews

  • Renders the reviewCount check pointless

Tools Used

Manual code review

Recommendations

Add the missing counter increment:

function giveReview(address _student, bool review) public onlyTeacher {
if (!isStudent[_student]) {
revert HH__StudentDoesNotExist();
}
// Change limit from 5 to 4 as per requirements
require(reviewCount[_student] < 4, "Student already has 4 reviews");
require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");
if (!review) {
studentScore[_student] -= 10;
}
// Update last review time
lastReviewTime[_student] = block.timestamp;
// Add missing counter increment
reviewCount[_student]++;
emit ReviewGiven(_student, review, studentScore[_student]);
}

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

reviewCount not updated

`reviewCount` for students is not updated after each review session

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.