Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing check in createCustomReferralCode() can lead to unwanted referral transfer

benrai

Lines of code

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/GlobalConfigurationBranch.sol#L632-L636

Impact

The current implementation of the createCustomReferralCode function allows the referrer of an existing custom referral code (CRC) to be overwritten. This can lead to a situation where the owner accidently sets a new referrer for a CRC that is already in use, thereby redirecting all referral benefits from the old referrer to the new referrer. This could result in significant financial losses for the original referrer and undermine the trust in the referral system.

Proof of Concept

The createCustomReferralCode function in the GlobalConfigurationBranch contract allows the creation of custom referral codes. However, it does not check if the referrer for the CRC is already set before assigning a new referrer:

function createCustomReferralCode(address referrer, string memory customReferralCode) external onlyOwner {

CustomReferralConfiguration.load(customReferralCode).referrer = referrer;

emit LogCreateCustomReferralCode(referrer, customReferralCode);

}

This means that if a referral code is created a second time, the new referrer will overwrite the old one and receive all subsequent referral benefits from referrals already made by the old referrer.

Recommended Mitigation Steps

To ensure that a CRC is only used once consider adding a check that ensures the CRC is not used already:

function createCustomReferralCode(address referrer, string memory customReferralCode) external onlyOwner {

+ if(CustomReferralConfiguration.load(customReferralCode).referrer != 0) revert;

CustomReferralConfiguration.load(customReferralCode).referrer = referrer;

emit LogCreateCustomReferralCode(referrer, customReferralCode);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.