Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Graduation Requirements Validation

igorwarkocz

Summary

The graduateAndUpgrade function in LevelOne.sol fails to verify if students meet the required graduation criteria, specifically checking for the minimum number of reviews and cut-off score.

Vulnerability Details

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
if (_levelTwo == address(0)) {
revert HH__ZeroAddress();
}
// No check whether students have enough reviews or meet the cutoff
uint256 totalTeachers = listOfTeachers.length;
uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;
uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;
_authorizeUpgrade(_levelTwo);
for (uint256 n = 0; n < totalTeachers; n++) {
usdc.safeTransfer(listOfTeachers[n], payPerTeacher);
}
usdc.safeTransfer(principal, principalPay);
}

  • No validation of student review count (should have 4 reviews)

  • No check against cutOffScore requirement

  • Students can graduate without meeting minimum requirements

Impact

Medium: This vulnerability:

  • Allows students to graduate without meeting requirements

  • Bypasses the intended evaluation system

  • Could lead to unqualified students advancing

Tools Used

Manual code review

Recommendations

Add graduation requirements checks, for example:

for (uint256 i = 0; i < listOfStudents.length; i++) {
address student = listOfStudents[i];
require(reviewCount[student] >= 4, "Student has insufficient reviews");
require(studentScore[student] >= cutOffScore, "Student score below cutoff");
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 28 days ago
Submission Judgement Published
Validated
Assigned finding tags:

cut-off criteria not applied

All students are graduated when the graduation function is called as the cut-off criteria is not applied.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.