Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: medium

Invalid

Reentrancy Risk in `enroll()` Function

0x_wind

Summary

The enroll() function is prone to a reentrancy attack due to an unsafe order of operations. The function makes an external token transfer usdc.safeTransferFrom() before updating the contract state. This allows a malicious contract to re-enter the function and bypass security checks or manipulate state variables.

Vulnerability Details

The function makes an external call usdc.safeTransferFrom before updating the contract’s state isStudent, studentScore, bursary.

A malicious contract can interact with usdc.safeTransferFrom, and it could call back into enroll() before state updates occur, allowing:

Multiple enrollments without deducting fees.
Bypassing the isStudent check, leading to duplicates.
Manipulation of bursary or other state variables.

@audit function enroll() external notYetInSession {

if (isTeacher[msg.sender] || msg.sender == principal) {

revert HH__NotAllowed();

}

if (isStudent[msg.sender]) {

revert HH__StudentExists();

}

usdc.safeTransferFrom(msg.sender, address(this), schoolFees);

listOfStudents.push(msg.sender);

isStudent[msg.sender] = true;

studentScore[msg.sender] = 100;

bursary += schoolFees;

emit Enrolled(msg.sender);

}

Attack Scenario

An attacker deploys a malicious token contract that makes a callack in transferFrom.
The attacker reenters enroll() when usdc.safeTransferFrom is executed and pays school fees multiple times.
The callback happens before isStudent[msg.sender] is updated.
Since isStudent[msg.sender] is still false, the attacker can enroll multiple times, possibly draining funds or corrupting state.

Impact

Unauthorized enrollments.
Manipulation of state.
Loss of funds.

Tools Used

Manual Review
Static analysis

Recommendations

Use OpenZeppelin’s ReentrancyGuard modifier (nonReentrant) on functions that involve external calls.

Updates

Lead Judging Commences

yeahchibyke Lead Judge

10 months ago

yeahchibyke Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

yeahchibyke Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!