Hawk High

Summary

This report identifies a critical vulnerability in the giveReview() function of the LevelOne.sol contract. The reviewCount[_student] state variable, which is intended to track the number of reviews a student has received, is never incremented. This oversight has two major consequences:

1. The check require(reviewCount[_student] < 5, "Student review count exceeded!!!"); becomes ineffective, as reviewCount[_student] will always be its default value (0).

2. The system cannot accurately track if students have received the required number of reviews (e.g., 4 reviews) before graduation, which is a documented prerequisite. This undermines a core academic rule of the Hawk High system.

Vulnerability Details / Issue Description

The giveReview(address _student, bool review) function allows teachers to submit reviews for students. It includes a check using reviewCount[_student]:

The reviewCount mapping is intended to limit the number of reviews a student can receive and potentially to ensure students meet a minimum review count for graduation. However, this mapping is read but never written to (incremented) within the giveReview function or any other function in the contract.

As a result:

• The condition reviewCount[_student] < 5 will always evaluate to 0 < 5 (true) for any student, meaning the intended limit on the number of reviews is bypassed. The only effective limit on reviews per student becomes the 1-week reviewTime cooldown over the 4-week session, allowing a maximum of 4 reviews.

• The documented project rule "Students must have gotten all reviews before system upgrade... 4 reviews (one for each week)" cannot be enforced if reviewCount is not accurately tracked. Any logic in graduateAndUpgrade or LevelTwo.sol's graduate() reinitializer that relies on reviewCount would operate on incorrect data (always 0).

Proof Of Concept / Scenario

1. A student enrolls. reviewCount[student] is 0.

2. A teacher gives the student a first review. The require(reviewCount[student] < 5) check (0 < 5) passes. lastReviewTime is updated. reviewCount[student] remains 0.

3. After one week, the teacher gives a second review. The require(reviewCount[student] < 5) check (0 < 5) still passes. lastReviewTime is updated. reviewCount[student] remains 0.

4. This can continue for up to 4 reviews within the 4-week session. The reviewCount will always be 0.

5. When graduateAndUpgrade is called, if it checks reviewCount[student] to ensure it's 4 (as per docs), this check will fail because reviewCount[student] is 0. Alternatively, if the check is lenient or missing due to this bug, students might graduate without fulfilling the review prerequisite.

Impact

The impact of this vulnerability is High:

• Bypassing Core Academic Rules: The intended limit on the number of reviews is non-functional. More critically, the prerequisite for students to receive a certain number of reviews before graduation cannot be enforced.

• Data Integrity Failure: The reviewCount state variable does not reflect the actual number of reviews given, leading to incorrect state.

• Potential for Unfair Graduation: Students might graduate without meeting all documented academic requirements if the graduation logic cannot rely on an accurate reviewCount.

• Misleading Code Logic: The presence of the reviewCount check implies functionality that does not exist

Tools Used

Manual Code Review

Recommendations

Modify the giveReview function to increment reviewCount[_student] after a review is successfully processed.