Missing Student Filtering During Upgrade
Summary
The LevelTwo contract fails to implement the filtering of students who didn't meet the cutoff score during the upgrade process, which violates a core invariant that states "Any student who doesn't meet the cutOffScore should not be upgraded."
Vulnerability Details
The empty graduate() function in LevelTwo does not contain any logic to filter students based on their scores:
Additionally, the graduateAndUpgrade() function in LevelOne also lacks this filtering logic. This results in all student records being carried over to LevelTwo regardless of their academic performance.
Impact
This vulnerability severely affects the academic integrity of the system:
Students have no incentive to maintain good scores if everyone graduates regardless of performance.
The cutoff score mechanism becomes meaningless as it's not enforced
The school cannot maintain academic standards
The fundamental business logic of the system is compromised
Tools Used
manual review
Recommendations
Add student filtering logic to the graduate() function in LevelTwo.
Lead Judging Commences
cut-off criteria not applied
All students are graduated when the graduation function is called as the cut-off criteria is not applied.
cut-off criteria not applied
All students are graduated when the graduation function is called as the cut-off criteria is not applied.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.