Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect teacher wage distributoion logic leads to the fund loss

0xbc000

Summary

Within LevelOne contract function graduateAndUpgrade, the wage distribution could breaking the invariant if there's more than 1 teachers.

Vulnerability Details

In the project description, it shows 35% for the teacher wages.

But based on the function below, EVERY single teacher could get 35% of the total bursary amount.

This will leads to funds broken.

function graduateAndUpgrade(

address _levelTwo,

bytes memory

) public onlyPrincipal {

if (_levelTwo == address(0)) {

revert HH__ZeroAddress();

}

uint256 totalTeachers = listOfTeachers.length;

uint256 payPerTeacher = (bursary * TEACHER_WAGE) / PRECISION;

uint256 principalPay = (bursary * PRINCIPAL_WAGE) / PRECISION;

_authorizeUpgrade(_levelTwo);

for (uint256 n = 0; n < totalTeachers; n++) {

usdc.safeTransfer(listOfTeachers[n], payPerTeacher);

}

usdc.safeTransfer(principal, principalPay);

}

Proof of Concept

Within test file add the following

Add a new teacher zoe
setup 3 teachers in session
perform the upgrade, will trigger the vm.expectRevert()
Test will pass

// teachers

address alice;

address bob;

address zoe;

...

function _threeteachersAdded() internal {

vm.startPrank(principal);

levelOneProxy.addTeacher(alice);

levelOneProxy.addTeacher(bob);

levelOneProxy.addTeacher(zoe);

vm.stopPrank();

}

...

function test_graduate_with_three_teachers() public {

// setup 3 teachers env and start session

_threeteachersAdded();

_studentsEnrolled();

vm.prank(principal);

levelOneProxy.startSession(70);

levelTwoImplementation = new LevelTwo();

levelTwoImplementationAddress = address(levelTwoImplementation);

bytes memory data = abi.encodeCall(LevelTwo.graduate, ());

vm.startPrank(principal);

vm.expectRevert();

levelOneProxy.graduateAndUpgrade(levelTwoImplementationAddress, data);

}

Run with forge test -vvvv --match-test test_graduate_with_three_teachers

forge test -vvv --match-test test_graduate_with_three_teachers

[⠊] Compiling...

No files changed, compilation skipped

Ran 1 test for test/LeveOnelAndGraduateTest.t.sol:LevelOneAndGraduateTest

[PASS] test_graduate_with_three_teachers() (gas: 1197536)

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 19.00ms (1.54ms CPU time)

Ran 1 test suite in 143.21ms (19.00ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

Impact

The contract will not able to pay out the wages and not able to hold the remaining money.

Tools Used

Manual review

Recommendations

Adding checks for how many teachers are available and divide the 35% of the bursary.

Not each one gets 35%

Updates

Lead Judging Commences

yeahchibyke Lead Judge 28 days ago

Submission Judgement Published

Validated

Assigned finding tags:

incorrect teacher pay calculation

`payPerTeacher` in `graduateAndUpgrade()` is incorrectly calculated.

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.