Zaros Part 1

Summary

All data stored on-chain is readable. The customReferralCode value can still be read on-chain because it is stored without encryption. This means that all the customReferralCode, are accessible.

At the moment the Zaros team hasn't provided much information about the referral program that will be implemented. They only confirmed (on the discord channel) that the customReferralCode will be used for KOL.

In blockchain-based referral programs, particularly those involving Key Opinion Leaders (KOLs), custom referral codes are often utilized to track and reward referrals. When these codes are stored in plaintext on the blockchain, they become publicly accessible to anyone who can read the blockchain ledger. This practice raises malicious abuse of the program.

Link: https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/GlobalConfigurationBranch.sol#L632C4-L636C6

Vulnerability Details

Storing custom referral codes in plaintext means that these codes can be read directly from the blockchain by anyone, including competitors, malicious actors, and unauthorized individuals.

Impact

Custom referral codes are typically unique identifiers given to users (in this case, KOLs or influencers) who participate in a referral program. These codes are shared with their followers or audience, who then use them upon signing up or making a purchase to grant benefits to both the referrer (the KOL) and themselves. The benefits earned by the KOL could be in the form of discounts or other incentives provided by the company running the referral program.

Storing these custom referral codes in plaintext on the blockchain means that anyone can read these codes directly from the blockchain ledger. Anyone can see the referral codes associated with specific KOLs. This visibility could lead to unauthorized individuals who can exploit these codes for personal gain, leading to abuse of the referral system and loss of benefits intended for legitimate KOLs and referred users. For example, someone might use a KOL's referral code without actually being referred by them, depriving the user referred by the KOL of their deserved benefits.

Actors:

• Attacker: Anyone.

• Victim: KOLs and KOL referred users.

Working Test Case:

• Go on https://sepolia.etherscan.io/

• Open a tx with "createCustomReferralCode(address, string)" signatue (0x4ceb6b6f method) For example: https://sepolia.etherscan.io/tx/0x8dbcf65cddbb1d06c8308c3e057b8fd11f339d19e0b5ab97c8d888781008c256.

• Access the Input data in the More Details section. Using the View input As - UTF-8 button will show the stored customReferralCode.

Tools Used

Manual review.

Recommendations

Consider implementing the encryption or hashing of the referral codes before storing them on-chain.