Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Teachers Can Submit Reviews Outside School Session to Manipulate Review System

invcbull

Summary

The giveReview function lacks a session state check, allowing teachers to manipulate student scores by submitting reviews when school is not in session.

Vulnerability Details

Root Cause: The giveReview function only checks if the caller is a teacher and if the student exists, but doesn't verify if the school is currently in session.

function giveReview(address _student, bool review) public onlyTeacher {if (!isStudent[_student]) {

revert HH__StudentDoesNotExist();}// Missing check for inSession state

Initial State:

School not in session
Teachers registered
Students enrolled

Attack Steps:

School session ends or hasn't started yet (inSession = false)
Malicious teacher calls giveReview with review = false
Student's score is reduced by 10 points
Process can be repeated to artificially lower student scores

Outcome: Students can have their scores manipulated outside of the legitimate school session period.

Implications:

Compromises the fairness of the grading system
Students could unfairly fail to meet cutOffScore
Violates the intended review timing constraints

Impact

Students can have scores manipulated outside session time
Potential for teacher abuse of the review system
Breaks core school grading integrity
Could prevent legitimate student graduation

POC

function testReviewOutsideSession() public {

// Setup

address student1 = makeAddr("student1");

address teacher1 = makeAddr("teacher1");

// Add teacher and enroll student

vm.prank(principal);

levelOneProxy.addTeacher(teacher1);

vm.startPrank(student1);

usdc.mint(student1, schoolFees);

usdc.approve(address(levelOneProxy), schoolFees);

levelOneProxy.enroll();

vm.stopPrank();

// Verify initial score

assertEq(levelOneProxy.studentScore(student1), 100);

// Warp time forward by 1 week to pass the review time check

vm.warp(block.timestamp + 1 weeks);

// Teacher gives review while not in session

vm.prank(teacher1);

levelOneProxy.giveReview(student1, false);

// Score reduced despite school not being in session

assertEq(levelOneProxy.studentScore(student1), 90);

}

Tools Used

Manual review

Recommendations

Add session state check to the giveReview function:

function giveReview(address _student, bool review) public onlyTeacher {

if (!inSession) {

revert HH__NotInSession();

}

if (!isStudent[_student]) {

revert HH__StudentDoesNotExist();

}

// ...rest of the function

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago

Submission Judgement Published

Validated

Assigned finding tags:

session state not updated

`inSession` not updated after during upgrade

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.