Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Insufficient validation of custom referral codes Leads to data integrity issues.

MVKsentry

Summary

The handling of referral codes in the system does not adequately validate or sanitize input. This can lead to malformed referral codes when isCustomReferralCode is set to true. Such vulnerabilities can result in URI-breaking characters being processed, potentially leading to issues like cross-site scripting attacks and data integrity problems.

Vulnerability Details

The vulnerability originates from the system’s inadequate validation of referral codes given as input to https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/TradingAccountBranch.sol#L229-L280, especially when isCustomReferralCode is true. Referral codes containing non-printable or URI-unsafe characters can disrupt the system in multiple ways. Specifically:

Malformed Referral Codes: Referral codes with non-printable or control characters (e.g., null bytes or escape sequences) can cause the smart contract to process invalid data, leading to unexpected behavior.
Cross-Site Scripting (XSS): In contexts where referral codes are rendered in web interfaces or external systems, non-printable or special characters could lead to cross-site scripting vulnerabilities.
System Instability: Improperly validated referral codes might cause errors or inconsistencies in user data, potentially leading to data integrity issues.

Let's explore such a secnario:

The attacker crafts a referral code containing a sequence of characters designed to exploit a vulnerability in the smart contract's data handling logic. This code might include characters such as null bytes (\x00), escape sequences, or other control characters.
string memory maliciousReferralCode = string(abi.encodePacked("malicious", bytes1(0x00), "code"));
The attacker creates a trading account using the crafted referral code.

calling createTradingAccount(bytes(maliciousReferralCode), true); which will create a custom referral code
The attacker then uses this referral code to create a trading account.

perpsEngine.createTradingAccount(bytes(maliciousReferralCode), true);

Here is POC test of unsafe custom referral codes any of the unsafeRefferalCodes passed as attribute don't revert:

function test_RevertWhen_TheCustomReferralCodeIsMalformed()

external

givenTheTradingAccountTokenIsSet

whenTheUserHasAReferralCode

whenTheReferralCodeIsCustom

{

// Example of unsafe referral codes

string memory unsafeReferralCode1 = string(abi.encodePacked(bytes1(0x01))); // non-printable character

string memory unsafeReferralCode2 = string(abi.encodePacked(bytes1(0x7F))); // non-printable character

string memory unsafeReferralCode3 = "unsafe#referral<code>"; // URI-unsafe characters

changePrank({ msgSender: users.owner.account });

perpsEngine.createCustomReferralCode(users.naruto.account, unsafeReferralCode1);

perpsEngine.createCustomReferralCode(users.naruto.account, unsafeReferralCode2);

perpsEngine.createCustomReferralCode(users.naruto.account, unsafeReferralCode3);

changePrank({ msgSender: users.naruto.account });

// it should revert due to invalid referral code (for non-printable character)

vm.expectRevert();

perpsEngine.createTradingAccount(bytes(unsafeReferralCode1), true);

// ** (for non-printable character)

// vm.expectRevert();

perpsEngine.createTradingAccount(bytes(unsafeReferralCode2), true);

// it should revert due to invalid referral code (for URI-unsafe characters)

// vm.expectRevert();

perpsEngine.createTradingAccount(bytes(unsafeReferralCode3), true);

}

Impact

Malformed referral codes can lead to data integrity issues, incorrect associations, or unexpected behavior in system operations, potentially causing system inconsistencies and exposing security vulnerabilities.

Tools Used

Manual Review, Foundy

Recommendations

To mitigate this vulnerability, strict validation should be enforced on referral codes. The validation process should ensure that:

Referral codes consist only of printable, URI-safe characters.
Referral codes do not contain any control characters or special characters that could break URIs or cause security issues.

Here is an example of such validation:

function isValidReferralCode(string memory referralCode) internal pure returns (bool) {

bytes memory codeBytes = bytes(referralCode);

for (uint i = 0; i < codeBytes.length; i++) {

byte char = codeBytes[i];

// Check for non-printable characters and URI-unsafe characters

if (char < 0x20 || char > 0x7E || char == 0x22 || char == 0x23 || char == 0x3C || char == 0x3E || char == 0x5C || char == 0x60 || char == 0x7B || char == 0x7D) {

return false;

}

return true;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge

over 1 year ago

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!