Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

User cannot use custom referral codes created by owners when creating trading accounts because of type mismatch

AllTooWell

Summary

A type mismatch exists between the referralCode parameter in the createTradingAccount and createTradingAccountAndMulticall functions and the customReferralCode created by the owner. The referralCode parameter expects a bytes type, while customReferralCode is stored as a string. This prevents users from directly using custom referral codes when creating trading accounts.

Vulnerability Details

function createCustomReferralCode(address referrer, string memory customReferralCode) external onlyOwner {
CustomReferralConfiguration.load(customReferralCode).referrer = referrer;
emit LogCreateCustomReferralCode(referrer, customReferralCode);
}

createCustomReferralCode use string type for the input of customReferralCode.

function createTradingAccount(
@ bytes memory referralCode,
bool isCustomReferralCode
)
public
virtual
returns (uint128 tradingAccountId)
{ }

The createTradingAccount function requires bytes type for the referralCode parameter, while the createCustomReferralCode function accepts a string type. As a result, when a user tries to use a custom referral code (which is a string), it cannot be directly passed into the createTradingAccount function.

POC

remix:

// SPDX-License-Identifier: GPL-3.0
pragma solidity ^0.8.0;
contract Test {
string public customReferralCode = "abc";
function getReferralCode() public view returns (bytes memory) {
bytes memory referralCode = bytes(customReferralCode);
return referralCode;
}
function getReferralCode1(bytes memory referralCode) public view returns (bytes memory) {
return referralCode;
}
}

In the getReferralCode1 function, passing "abc" will result in failure. Only by passing the bytes type of "abc" (0x616263) it will execute successfully.
In summary, if the customReferralCode is set to "abcd", this referral code cannot be used for parameter passing when a trader creates a trading account. Instead, one needs to utilize a data type conversion tool to transform "abc" into the bytes type "0x616263".
We are not currently considering the scenario where the frontend might convert string into bytes, as we are only focusing on solidity code for now. Additionally, on https://testnet.app.zaros.fi, the actual input of referral code is bytes type. This means that if users wish to use a customReferralCode, they need to utilize a type conversion tool to first convert it into bytes format before it can be used.

Impact

This type mismatch limits the usability of custom referral codes, as users are required to perform additional steps to convert the code to the correct format. It also creates a potential point of error, as users may incorrectly convert the referral codes.

Tools Used

manual

Recommendations

To address this issue, it is recommended to store the customReferralCode as a bytes type instead of a string type. This would eliminate the need for users to manually convert the code and simplify the process of using custom referral codes.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

User cannot use custom referral codes created by owners when creating trading accounts because of type mismatch

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!