Zaros Part 1

Summary

In TradingAccountBranch, the function createTradingAccountis used to create trading account of user. However, it is possible that user opens their first trading account without any referrer. This means that user wasn't referred to the protocol by anyone. But user can again open new trading account with referralCodeand the referrercorresponding to the referralCodewill be added as referrerto the user. Due to this, user can add someone as their referrereven though they weren't technically referred by them.

Vulnerability Details

A vulnerability exists in the referral code handling logic that allows a user to bypass the referral system by opening an account without a referrer initially and then adding a referrer later. This results in the system not recognizing that the user was not referred at the time of the first account opening, potentially leading to improper referral rewards and incentives.

Steps to reproduce:

1. Initial Account Opening without Referrer: A user can open an account without providing a referral code (referralCode.length == 0).

2. Subsequent Account Opening with Referrer: The same user can later provide a referral code during another account opening attempt (referral.referralCode.length == 0).

This scenario is problematic because it means the user did not have a referrer initially, but they can later claim to have one, which undermines the referral system's integrity.

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/TradingAccountBranch.sol#L256-L277

Impact

Referrers may receive rewards for users who were not genuinely referred by them at the time of the first account opening.

Tools Used

Manual review

Recommendations

Ensure that a referral code must be provided at the time of the first account opening if the referral system is to be used. If no referral code is provided, then protocol should use some default referral code.