Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Persistent Session State Blocks New Enrollments and Sessions in `LevelOne` Contract

nhippolyt

Summary

The inSession state variable remains true indefinitely after the first session starts, preventing new enrollments and subsequent sessions. This violates the protocol’s intended lifecycle, where sessions should conclude after 4 weeks, enabling upgrades and new enrollments.

Vulnerability Details

Affected Components:

  • inSession State Variable: Never reset to false after a session ends.

  • startSession Function: Blocked by the notYetInSession modifier once inSession is true.

  • graduateAndUpgrade Function: Fails to reset inSession during upgrades.

Technical Analysis:

  • Session Lifecycle Flaw:

    • When startSession is called, inSession is set to true and sessionEnd is set to block.timestamp + 4 weeks.

    • After sessionEnd passes, the contract logic does not update inSession to false.

    • The notYetInSession modifier in startSession permanently blocks new sessions because inSession remains true.

  • Upgrade Process Impact:

    • The graduateAndUpgrade function is designed to upgrade the system but does not reset inSession.

    • Post-upgrade, inSession stays true, preventing new enrollments (as enroll requires notYetInSession).

Impact

Critical Protocol Halting:

  • New Enrollments Blocked: Students cannot enroll after the first session ends.

  • New Sessions Unstartable: The principal cannot initiate new sessions, freezing the protocol.

  • Financial Loss: Stagnant protocol loses utility, potentially causing reputational and monetary harm.

Tools Used

Recommendations

Fix 1: Automatically Reset inSession Based on Time

Modify inSession to be dynamically checked against sessionEnd:

function isSessionActive() public view returns (bool) {
return block.timestamp <= sessionEnd;
}
// Replace all direct checks of `inSession` with `isSessionActive()`.
// Delete the `inSession` state variable.

Fix 2: Reset inSession During Upgrades

Update graduateAndUpgrade to end the session:

function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {
// Ensure sessionEnd has passed
require(block.timestamp >= sessionEnd, "Session not ended");
// Reset session state
inSession = false; // Add this line
// Proceed with upgrade logic...
_authorizeUpgrade(_levelTwo);
// ...rest of code
}

Fix 3: Add Explicit Session Termination Function

Introduce a guarded function to reset the session:

function endSession() external onlyPrincipal {
require(block.timestamp >= sessionEnd, "Session ongoing");
inSession = false;
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

can graduate without session end

`graduateAndUpgrade()` can be called successfully even when the school session has not ended

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

can graduate without session end

`graduateAndUpgrade()` can be called successfully even when the school session has not ended

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.