Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Length Validation for non-customized referral codes in `TradingAccountBranch::createTradingAccount`

AllTooWell

Summary

The TradingAccountBranch::createTradingAccount function lacks validation for the length of referral codes when non-customized referral codes are used. If the referral code exceeds 20 bytes (the length of an address), the decoded referrer address will be invalid.

Vulnerability Details

Within the TradingAccountBranch::createTradingAccount function, the following line of code is used to decode the non-customized referral code into an address(referrer):

address referrer = abi.decode(referralCode, (address));
if (referrer == msg.sender) {
revert Errors.InvalidReferralCode();
}

If the trader's non-customized referral code is longer than 20 bytes, the decoded referrer address will be invalid.

Impact

If the length of non-customized referral code is longer than 20 bytes, the decoded referrer address is invalid. It could lead to wrong points distributed which is based on referral address.

Tools Used

manual

Recommendations

+ require(referralCode.length == 0x20);
address referrer = abi.decode(referralCode, (address));
if (referrer == msg.sender) {
revert Errors.InvalidReferralCode();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!