What Happens After a Session Ends?
Summary
The contract does not specify what happens after a session ends, leaving the system in an undefined state.
Vulnerability Details
Root Cause: There is no function to handle the end of a session or update the state of the contract:
function startSession(uint256 _cutOffScore) public onlyPrincipal notYetInSession {
sessionEnd = block.timestamp + 4 weeks;
inSession = true;
cutOffScore = _cutOffScore;
}
Initial State: A session is active.
Step 1: The session end time (sessionEnd) is reached.
Outcome: The session remains active (inSession = true), and no state updates occur.
Implications: The system does not transition to a post-session state, leading to potential inconsistencies.
Impact
Who is affected: The school system, students, and teachers.
How they are affected: The undefined state could lead to confusion or exploitation.
Tools Used
manuel review
Recommendations
Add a function to end the session and update the state:
function endSession() public onlyPrincipal {
require(block.timestamp >= sessionEnd, "Session not ended yet");
inSession = false;
emit SessionEnded(block.timestamp);
}
Lead Judging Commences
session state not updated
`inSession` not updated after during upgrade
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.