Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing check in ```GlobalConfigurationBranch::createCustomReferralCode``` for Duplicate Custom Referral Code Creation

kiteweb3

Summary

The GlobalConfigurationBranch::createCustomReferralCode function is designed to allow the contract owner to assign a custom referral code to a specific referrer. This functionality is crucial for managing referrals within the Zaros ecosystem, enabling the tracking and rewarding of users who for example bring new participants to the platform.

But the GlobalConfigurationBranch::createCustomReferralCode function allows for the creation of custom referral codes without implementing checks to prevent the duplication of these codes. This enables the possibility of creating multiple referral codes with identical strings, each potentially associated with different referrers.

Vulnerability Details

The absence of a mechanism to enforce the uniqueness of custom referral codes during their creation process leads to a vulnerability where duplicate codes can be generated. This issue arises due to the direct assignment of a referrer to a custom referral code without prior verification of the code's existence or uniqueness.

Link: https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/GlobalConfigurationBranch.sol#L632C4-L636C6

function createCustomReferralCode(address referrer, string memory customReferralCode) external onlyOwner {

@> CustomReferralConfiguration.load(customReferralCode).referrer = referrer;

emit LogCreateCustomReferralCode(referrer, customReferralCode);

}

Impact

In referral systems, each referral code typically needs to uniquely identify a single referrer to accurately track who is eligible for a reward (for example who referred new users or customers). If the same referral code is assigned to multiple individuals when a new user signs up using a shared referral code, it becomes unclear whom to attribute the referral bonus or credit to. This ambiguity leads to disputes / errors in distributing rewards, as the system cannot distinguish between the intended referrers.

In the CreateCustomReferralCode.t.sol copy and paste this test and run:

forge test --match-test test_WhenCreateCustomReferralCodeDuplicated -vv

//Create the same custom referral code for two different refferers

function test_WhenCreateCustomReferralCodeDuplicated() external givenTheSenderIsTheOwner {

address referrer = address(1);

address referrer2 = address(2);

string memory customReferralCode = "customReferralCode";

changePrank({ msgSender: users.owner.account });

// Create the first custom referral code

vm.expectEmit({ emitter: address(perpsEngine) });

emit GlobalConfigurationBranch.LogCreateCustomReferralCode(referrer, customReferralCode);

perpsEngine.createCustomReferralCode(referrer, customReferralCode);

address referrerReceived = perpsEngine.getCustomReferralCodeReferrer(customReferralCode);

console2.log("Create the first custom referral code");

console2.log("referrer:", referrer);

console2.log("customReferralCode:", customReferralCode);

console2.log("referrerReceived:", referrerReceived);

console2.log("--------------------");

assertEq(referrerReceived, referrer, "Referrer not set correctly");

// Create the same custom referral code with a different referrer

vm.expectEmit({ emitter: address(perpsEngine) });

emit GlobalConfigurationBranch.LogCreateCustomReferralCode(referrer2, customReferralCode);

perpsEngine.createCustomReferralCode(referrer2, customReferralCode);

address referrerReceived2 = perpsEngine.getCustomReferralCodeReferrer(customReferralCode);

console2.log("Create the same custom referral code with a different referrer");

console2.log("referrer2:", referrer2);

console2.log("customReferralCode:", customReferralCode);

console2.log("referrerReceived2:", referrerReceived2);

assertEq(referrerReceived2, referrer2, "Referrer not set correctly");

}

forge test --match-test test_WhenCreateCustomReferralCodeDuplicated -vv

[⠊] Compiling...

[⠊] Compiling 1 files with Solc 0.8.25

[⠒] Solc 0.8.25 finished in 9.32s

Compiler run successful!

Ran 1 test for test/integration/perpetuals/global-configuration-branch/createCustomReferralCode/createCustomReferralCode.t.sol:CreateCustomReferralCode_Integration_Test

[PASS] test_WhenCreateCustomReferralCodeDuplicated() (gas: 75880)

Logs:

Create the first custom referral code

referrer: 0x0000000000000000000000000000000000000001

customReferralCode: customReferralCode

referrerReceived: 0x0000000000000000000000000000000000000001

--------------------

Create the same custom referral code with a different referrer

referrer2: 0x0000000000000000000000000000000000000002

customReferralCode: customReferralCode

referrerReceived2: 0x0000000000000000000000000000000000000002

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 13.92ms (373.79µs CPU time)

Ran 1 test suite in 214.08ms (13.92ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

Tools Used

Manual review.

Recommendations

Implement checks to ensure each customReferralCode is unique within the createCustomReferralCode function.

Updates

Lead Judging Commences

inallhonesty Lead Judge

11 months ago

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.