Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: medium

Invalid

Optimistic Assumption on Review Timing May Cause Session to Fail

finn79426

Summary

The contract assumes that each student will receive exactly one review per week over a 4-week session. This is enforced by a reviewTime constraint (require(block.timestamp >= lastReviewTime[_student] + reviewTime)), and is aligned with the protocol invariant stating:

"Students must have gotten all reviews before system upgrade. System upgrade should not occur if any student has not gotten 4 reviews (one for each week)."

However, this logic relies heavily on the assumption that reviews will be delivered on time, every week, without delay. In reality, factors like block time variance, network congestion, or operational oversight can result in missed review windows. If even one review is missed due to such timing issues, that student will be permanently stuck — making it impossible for the entire session to complete successfully under the current rules.

Vulnerability Details

Key problem:

require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");

This restriction prevents teachers from giving a review if the required interval has not passed. If a review is delayed even slightly beyond the intended 7-day window (due to block time drift or teacher delay), the entire review schedule for that student is pushed forward, making it impossible to fit 4 reviews within the 4-week session limit.

No fallback or late-review handling logic is provided, meaning that once a week is missed, the system becomes logically blocked from completing as per the protocol rules.

Impact

System upgrade becomes impossible due to unmet review requirements.
A single missed or delayed review causes an entire school session to fail.
Results in denial-of-service (DoS) at a logical level.
Violates the invariant: “System upgrade cannot take place unless school’s sessionEnd has reached.”
Damages student experience and principal/teacher accountability workflows.

Tools Used

Manual review
Specification/invariant cross-checking
Real-world block time variance considerations

Recommendations

Allow grace period or catch-up reviews:
- Loosen timing restriction to allow reviews within a flexible range (e.g., "within 6 to 9 days from last review").
- Or, allow teachers to give reviews at any time, but limit total to 4.
Track review count with timestamps instead of enforcing strict week gaps.
- For example, store an array of review timestamps and ensure there are four non-overlapping time slots across the 4-week session.
Add session deadline enforcement:
- Enforce a rule that all reviews must be completed before sessionEnd, but don't require exactly 7-day spacing between reviews.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.