Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

malicious user can forge any `referralCode`

crypt0n

Summary

In TradingAccountBranch contract user can create an account by calling createTradingAccount() function, when isCustomReferralCode is passed as false, there is no check of the referralCode is genuine.

Vulnerability Details

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/TradingAccountBranch.sol#L266-L273

Impact

If the project decides to use referral codes to reward users who bring in the most value, this feature might be abused. Malicious users could create a large number of fake accounts to farm points and ultimately claim the rewards.Here is an POC.

function test_userForgeAnyReferralCode()
external
givenTheTradingAccountTokenIsSet
whenTheUserHasAReferralCode
whenTheReferralCodeIsCustom
{
address _addressToForge = address(0xdead);
changePrank({ msgSender: users.naruto.account });
// it should emit {LogReferralSet} event
vm.expectEmit({ emitter: address(perpsEngine) });
emit TradingAccountBranch.LogReferralSet(
users.naruto.account, _addressToForge, abi.encode(_addressToForge), false
);
perpsEngine.createTradingAccount(abi.encode(_addressToForge), false);
}

add the code snippet to test/integration/perpetuals/trading-account-branch/createTradingAccount/createTradingAccount.t.sol and then run the following command.

forge test --match-path test/integration/perpetuals/trading-account-branch/createTradingAccount/createTradingAccount.t.sol --match-test test_userForgeAnyReferralCode -vvvvv

Tools Used

Manually Review

Recommendations

Make sure the referral is signed by in a trusty way and user cannot forge them.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!