A blacklisted teacher address in the USDC token contract can permanently block the graduation process
Summary
A blacklisted teacher address in the USDC token contract can permanently block the graduation process and prevent the school from upgrading to LevelTwo, effectively creating a denial of service condition.
Vulnerability Details
In the graduateAndUpgrade function, teacher payments are processed in a loop using safeTransfer:
If any teacher's address is blacklisted in the USDC contract:
The safeTransfer to that address will revert
Due to the loop structure, this revert causes the entire transaction to fail
No subsequent teachers can receive their payments
The upgrade to LevelTwo cannot proceed
USDC has an active blacklist feature that can block addresses at any time
Teachers can use contract addresses which might get blacklisted
There's no way to skip or remove a problematic teacher during the graduation process
The principal cannot graduate the school without successfully paying all teachers
Impact
A single blacklisted teacher address can:
Permanently prevent the school from graduating
Block all teacher payments
Prevent the upgrade to LevelTwo
Lock the remaining funds in the contract
Force the school to remain in LevelOne indefinitely
Tools Used
manual review
Recommendations
Implement a pull payment pattern instead of push payments where every teacher calls a function.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.