Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unregistered Users Receiving Referral Commissions.

HawkEyes

Description:

The function TradingAccountBranch::createTradingAccount allows any referral code to be used when creating a trading account. This means that users who are not registered or invalid users on Zaros can receive referral commissions.

function createTradingAccount(
bytes memory referralCode,
bool isCustomReferralCode
)
public
virtual
returns (uint128 tradingAccountId)
{
// fetch storage slot for global config
GlobalConfiguration.Data storage globalConfiguration = GlobalConfiguration.load();
// increment next account id & output
tradingAccountId = ++globalConfiguration.nextAccountId; //@audit what will happen if it gets to max of uint96
// get refrence to account nft token
IAccountNFT tradingAccountToken = IAccountNFT(globalConfiguration.tradingAccountToken);
// create account record
TradingAccount.create(tradingAccountId, msg.sender);
// mint nft token to account owner
tradingAccountToken.mint(msg.sender, tradingAccountId);
emit LogCreateTradingAccount(tradingAccountId, msg.sender);
//q whats the advatage of the refferal in this?
Referral.Data storage referral = Referral.load(msg.sender);
if (referralCode.length != 0 && referral.referralCode.length == 0) {
if (isCustomReferralCode) {
CustomReferralConfiguration.Data storage customReferral =
CustomReferralConfiguration.load(string(referralCode));
if (customReferral.referrer == address(0)) {
revert Errors.InvalidReferralCode();
}
referral.referralCode = referralCode;
referral.isCustomReferralCode = true;
} else {
address referrer = abi.decode(referralCode, (address));
if (referrer == msg.sender) {
revert Errors.InvalidReferralCode();
}
referral.referralCode = referralCode;
referral.isCustomReferralCode = false;
}
emit LogReferralSet(msg.sender, referral.getReferrerAddress(), referralCode, isCustomReferralCode);
}
return tradingAccountId;
}

Impact:

This vulnerability can lead to misuse of the referral system, where referral commissions are awarded to unregistered or invalid users. This could potentially result in financial losses for Zaros, as the platform may pay out commissions to non-legitimate users. Additionally, it could undermine the integrity of the referral program, affecting the trust and satisfaction of genuine users.

Proof of Concept:

The code provided demonstrates a scenario where an invalid user (fatma) is set as a referral for another user (naruto). Despite fatma not being a valid user on Zaros, they can still receive referral commissions.

function test_WhenReferralDoesntExistOnZaros()
external
{
changePrank({ msgSender: users.naruto.account });
// @audit-info Fatma is not a valid user of Zaros but her address was assigned as Nautro referral
address fatma = makeAddr('fatma');
bytes memory referralCodeFatma = abi.encode(fatma);
vm.expectEmit({ emitter: address(perpsEngine) });
emit TradingAccountBranch.LogReferralSet(users.naruto.account, fatma, referralCodeFatma, false);
perpsEngine.createTradingAccount(referralCodeFatma, false);
}

Tools Used

Manual Audit

Recommended Mitigation:

To address this issue, implement a verification mechanism for referral codes before they are accepted during account creation. This could involve:

  1. Checking if the referral code corresponds to a registered and valid user on Zaros.

  2. Adding additional checks and validations to prevent the misuse of referral codes.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.