Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

M-01: Incorrect Review Limit Allows More Reviews Than Session Duration

albert

Summary

The giveReview function uses require(reviewCount[_student] < 5, ...). If reviewCount is correctly incremented (addressing H-05), this allows a student to receive up to 5 reviews. However, a school session lasts 4 weeks with one review per week, implying exactly 4 reviews are intended.

Vulnerability Details

The condition reviewCount[_student] < 5 means the transaction will pass if reviewCount[_student] is 0, 1, 2, 3, or 4. If reviewCount is incremented after this check, a student can effectively receive reviews when their count before the review is 0, 1, 2, 3, and 4, leading to a total of 5 reviews. The README states "A school session lasts 4 weeks" and implies one review per week.

Impact

Students can receive a 5th review, which is one more than implied by the 4-week session. This could be exploited to give an extra "make-up" good review or a final punitive bad review, misaligning with the expected "4 reviews (one for each week)" structure. It also complicates the graduation check, which should verify exactly 4 reviews.

Tools Used

Manual Review, Logical Analysis.

Recommendations

Change the condition to require(reviewCount[_student] < 4, "HH__MaxReviewsReached"); to ensure that a student can only receive reviews when their current count is 0, 1, 2, or 3, leading to a maximum of 4 reviews after incrementing. The graduation check in graduateAndUpgrade should then confirm reviewCount[student] == 4.

Consolidated Code Modification for LevelOne.sol::giveReview (addressing H-05, M-01):

// src/LevelOne.sol

// ... (other parts of the contract) ...

function giveReview(address _student, bool review) public onlyTeacher {

if (!isStudent[_student]) {

revert HH__StudentDoesNotExist();

}

// --- START OF MODIFICATION FOR M-01 (Correct Review Limit) ---

// Original: require(reviewCount[_student] < 5, "Student review count exceeded!!!");

require(reviewCount[_student] < 4, "HH__MaxReviewsReached"); // MODIFIED: Allows reviews when count is 0, 1, 2, 3

// --- END OF MODIFICATION FOR M-01 ---

require(block.timestamp >= lastReviewTime[_student] + reviewTime, "Reviews can only be given once per week");

if (!review) { // where `false` is a bad review and true is a good review

studentScore[_student] -= 10;

}

lastReviewTime[_student] = block.timestamp; // Update last review time

// --- START OF MODIFICATION FOR H-05 (Increment reviewCount) ---

reviewCount[_student]++; // ADDED: Increment the student's review count

// --- END OF MODIFICATION FOR H-05 ---

emit ReviewGiven(_student, review, studentScore[_student]);

}

// ... (other parts of the contract) ...

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.