Missing Business Logic
Summary
There is no endSession() or mechanism to trigger the upgrades
Vulnerability Detail
the principal can just upgrade the whole system any time if malicious or compromised since there is no check that implements endSession mechanism to trigger upgrades.
the endSession should ensure that the 4 weeks have passed by
Impac
the impact can be high since this breaks the procol invariant that the school should not upgrade unless 4 weeks has passed
Tools Use
manual review
Recommendations
add a function or a mechanism that triggers the upgrade with the correct implementation of the 4 weeks
Lead Judging Commences
can graduate without session end
`graduateAndUpgrade()` can be called successfully even when the school session has not ended
can graduate without session end
`graduateAndUpgrade()` can be called successfully even when the school session has not ended
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.