Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Improper Validation of Referral Codes in `createTradingAccount` Function

pelz

Summary

The createTradingAccount function in AccountManager.sol allows users to pass any address as a referral code without verifying if the address corresponds to an existing trading account within the system. This can lead to the misuse of referral codes and potential system abuse.

Vulnerability Details

The function createTradingAccount accepts a referral code and a boolean isCustomReferralCode to determine how to validate the referral code. If isCustomReferralCode is false, the function decodes the referral code as an address but does not check if this address corresponds to a valid trading account within the protocol. This allows users to encode any address into bytes and use it as a referral code.

Detailed Explanation

When isCustomReferralCode is false, the function decodes referralCode into an address without any validation to check if the address corresponds to a valid trading account. This can allow users to provide any address as a referral, potentially leading to abuse of the referral system.

function createTradingAccount(
bytes memory referralCode,
bool isCustomReferralCode
)
public
virtual
returns (uint128 tradingAccountId)
{
// fetch storage slot for global config
GlobalConfiguration.Data storage globalConfiguration = GlobalConfiguration.load();
// increment next account id & output // uint96
tradingAccountId = ++globalConfiguration.nextAccountId;
// get reference to account nft token
IAccountNFT tradingAccountToken = IAccountNFT(globalConfiguration.tradingAccountToken);
// create account record
TradingAccount.create(tradingAccountId, msg.sender);
// mint nft token to account owner
tradingAccountToken.mint(msg.sender, tradingAccountId);
emit LogCreateTradingAccount(tradingAccountId, msg.sender);
Referral.Data storage referral = Referral.load(msg.sender);
if (referralCode.length != 0 && referral.referralCode.length == 0) {
if (isCustomReferralCode) {
CustomReferralConfiguration.Data storage customReferral =
CustomReferralConfiguration.load(string(referralCode));
if (customReferral.referrer == address(0)) {
revert Errors.InvalidReferralCode();
}
referral.referralCode = referralCode;
referral.isCustomReferralCode = true;
} else {
address referrer = abi.decode(referralCode, (address));
if (referrer == msg.sender) {
revert Errors.InvalidReferralCode();
}
referral.referralCode = referralCode;
referral.isCustomReferralCode = false;
}
emit LogReferralSet(msg.sender, referral.getReferrerAddress(), referralCode, isCustomReferralCode);
}
return tradingAccountId;
}

Impact

  • Misuse of Referral Codes: Users can encode any address into bytes and use it as a referral code without validation, potentially leading to misuse and abuse of the referral system.

  • Potential Fraud: Malicious users could create multiple accounts using arbitrary addresses as referral codes to gain unfair advantages or rewards.

Tools Used

Manual review

Recommendations

  1. Verify Referral Address: Add a check to ensure that the decoded address corresponds to an existing trading account within the protocol before accepting it as a valid referral code.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!