Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Custom referral code can be override

0xaman

Summary

The protocol supports a referral system for end users, allowing them to receive rewards or incentives. However, the admin has the ability to override the referral code, which will result in the user losing their reward or incentive.

Vulnerability Details

The Owner can set the referral code for users lets check the following code:

/2024-07-zaros/src/perpetuals/branches/GlobalConfigurationBranch.sol:632
632: function createCustomReferralCode(address referrer, string memory customReferralCode) external onlyOwner {
633: // @audit : the refereal code will be override
634: CustomReferralConfiguration.load(customReferralCode).referrer = referrer;
635:
636: emit LogCreateCustomReferralCode(referrer, customReferralCode);
637: }

The following scenario can occur:

  1. The owner sets referral code 1 for Alice.

  2. Alice uses this code to onboard 3 users.

  3. Alice becomes eligible to receive rewards.

  4. Meanwhile, the owner updates Alice's referral code to 2.

  5. As a result of this update, Alice will lose all rewards or incentives.

Impact

Updating the referral code could result in the loss of rewards or incentives for the end user.

Tools Used

Manual Review

Recommendations

First, check if the referral code is not set; if it isn't, set it. Otherwise, revert with an "already set" error.

Updates

Lead Judging Commences

inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.