Missing floor check in student scoring system makes review functionality unavailable
Summary
The LevelOne contract has a vulnerability where a student's score can be repeatedly decreased without a floor check. This creates a denial-of-service condition where teachers cannot give negative reviews to students who have reached a low score, breaking the review system regardless of the cutoff score set by the principal. The vulnerability exists independently of the principal's actions and affects the system's core functionality.
brekaing key invariants like:
Vulnerability Details
A student starts with 100 points
After 10 bad reviews, their score would be 0. Assume multiple sessions passed.
On the 11th bad review, attempting to subtract 10 from 0 would normally cause an underflow
However, since the contract uses Solidity 0.8.26 (as specified in the pragma), arithmetic underflow is automatically checked and will revert. This means:
When a student's score reaches 0, any further attempts to decrease it will revert
This creates an interesting situation where a student who reaches 0 becomes "immune" to further bad reviews
If the principal sets a cutoff score of 0, these students would technically be eligible to graduate despite having the worst possible performance
If cutoff score < 10 (e.g., cutoff = 5):
Students with scores 5-9 and more would still pass the cutoff
But they can't receive further negative reviews once their score would go below 0
This means a student with a score of 5 is artificially protected from further negative evaluation
Impact
This issue impacts the system regardless of principal's intentions:
System Functionality Failure: Teachers cannot complete required reviews for low-scoring students, breaking a key system invariant
Integrity of Academic Evaluation: The system cannot properly track performance of struggling students
Fairness Issues: Students who perform poorly enough to reach a low score are inadvertently protected from further negative evaluations
Denial of Service: Review functionality becomes unavailable for certain students, creating an incomplete evaluation record. The invariant that "Students must have gotten all reviews before system upgrade" becomes impossible to fulfill
Note this does not require malicious actions on behalf of the principal. Setting the sessions with specific cutoff scores is legitimate action as per the protocol. Vulnerbility is a result of legitimate non-malicious action on the protocol side.
Tools Used
manual review
Recommendations
Consider using a different scoring mechanism that doesn't have this edge case
Implement a floor check to prevent scores from going below 0
reset score on session start if aligned with the business logic
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.