Hawk High

Summary

The smart contract designed to manage a student review system lacks proper validation before upgrading a student's level. Specifically, there are no checks to confirm that a student has received the required number of reviews (4) or that they have met the minimum score (cutOffScore) before graduation. This creates a logic flaw that can be exploited to bypass the intended progression system.

Vulnerability Details

In the provided contract:

• Mentors can submit reviews for students using giveReview().

• Student data is stored in mappings like studentScore and reviewCount.

• There is no function that enforces validation of:

  • Total number of reviews per student (== 4)

  • Minimum score (>= cutOffScore)

• The absence of a function like graduateAndUpgrade() or any validation logic allows:

  • Graduation without completing 4 reviews.

  • Graduation with a score below the defined threshold.

This violates the expected invariants of the system and opens the door to unauthorized upgrades.

Impact

Integrity Violation: Students may graduate without fulfilling academic criteria.

• Access Control Bypass: The system's trust-based upgrade model is easily abused.

• Reputation Damage: Undeserving students could receive recognition, damaging the credibility of the system.

• Financial or Logical Consequences: If graduation or upgrades are tied to benefits (e.g., rewards, certificates, NFTs), this vulnerability could lead to exploitation and unfair resource distribution.

Tools Used

Manual Code Review

Recommendations

• Implement a graduateAndUpgrade() function with strict validations:

• Restrict review submission post-deadline by validating block.timestamp <= sessionEnd in giveReview().