DeFiFoundry
60,000 USDC
View results
Submission Details
Severity: low
Valid

Weird behavior upon a user setting/not setting a referrer

Summary

Weird behavior upon a user setting/not setting a referrer

Vulnerability Details

Whenever users create a trading account, they can set a referrer. We have the following 2 lines there (if we end up in the if check, we set a referrer):

Referral.Data storage referral = Referral.load(msg.sender);
if (referralCode.length != 0 && referral.referralCode.length == 0)

We can see that the first condition of the if check is for the user to specify referralCode. This, of course, makes sense as he can decide that he doesn't want to set a referrer. The second condition is for the user to not have a referrer already. We can also see that the line above fetches the data of the referral based on the msg.sender. That means that if Bob created a trading account, set Alice as referrer, then created a second trading account and tried to set Alice as referrer, this would not work as even though this is a new trading account, the msg.sender is still equal to Bob's address in both cases, thus the second condition in the if check would not pass.

Now, this can be exactly the idea of the developers (or possibly not, who knows). It makes sense that if Bob already had an account, he shouldn't be able to do so again on his second account as if he was referred by someone, he would have already put him as the referrer. However, let's imagine that Bob did not set a referrer the first time. Now, whenever he creates a second trading account, he will be able to set one as the data about the referral will be empty.

This creates the following scenario - if Bob was referred by someone and he set him as a referrer, he won't be able to set a referrer on his second trading account. However, if he didn't set someone as a referrer on his first account, he will be able to set a referrer on his second trading account. This shouldn't be the case as Bob is already a trader, he was not referred by anyone when he created his second trading account, thus even if he didn't actually set a referrer on his first account (due to the fact that no one actually referred him to the protocol or he simply decided not to), he shouldn't be able to set a referrer on his second account.

For example:

  1. Bob finds out about the protocol on his own and he doesn't set anyone as referrer when creating his account

  2. He then finds out that he can refer someone and decides to cheat the system by creating a second account and this time, setting a referrer

  3. This will of course work and the checks would pass

The protocol should either allow all traders to set a new referrer no matter how many accounts they have and will create (if that is their idea) or should not allow a user who already has created an account, to set a referrer on his second account (most likely what the protocol should do based on what I believe was their idea).

Impact

Weird behavior upon a user setting/not setting a referrer

Tools Used

Manual Review

Recommendations

Whenever someone creates an account and doesn't set a referrer, still set him a special placeholder referrer that signalizes that he doesn't actually have a referrer. Next time he creates an account, do not allow him to set a referrer if he already has that placeholder as a referrer.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Referrals should be set per trading account id instead of per trader

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.