Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Self-referral possible in custom referral code implementation

nisedo

Vulnerability Details

In the TradingAccountBranch.sol contract, the createTradingAccount() function implements a referral system that allows users to provide a referral code when creating a new trading account. The function handles two types of referral codes: custom and non-custom.

For non-custom referral codes, the function correctly prevents self-referral by checking if the referrer's address matches the msg.sender:

TradingAccountBranch.sol#L260-L262

} else {
address referrer = abi.decode(referralCode, (address));
>> if (referrer == msg.sender) {
>> revert Errors.InvalidReferralCode();
}
referral.referralCode = referralCode;
referral.isCustomReferralCode = false;
}

However, for custom referral codes, this check is not implemented:

if (isCustomReferralCode) {
CustomReferralConfiguration.Data storage customReferral =
CustomReferralConfiguration.load(string(referralCode));
if (customReferral.referrer == address(0)) {
revert Errors.InvalidReferralCode();
}
referral.referralCode = referralCode;
referral.isCustomReferralCode = true;

This implementation allows a user to create a custom referral code that refers to themselves, potentially exploiting the referral system for unintended benefits.

Impact

Users could create custom referral codes referring to themselves, potentially earning referral rewards without actually referring new users.

Proof of Concept

  1. Owner creates a custom referral code that maps to Alice's address with createCustomReferralCode:

/// @notice Creates a custom referral code.
/// @param referrer The address of the referrer.
/// @param customReferralCode The custom referral code.
function createCustomReferralCode(address referrer, string memory customReferralCode) external onlyOwner {
CustomReferralConfiguration.load(customReferralCode).referrer = referrer;
emit LogCreateCustomReferralCode(referrer, customReferralCode);
}

  1. Alice calls createTradingAccount() with her custom referral code and isCustomReferralCode set to true.

  2. The function processes the custom referral code without checking for self-referral.

  3. Alice's account is created with her own referral code, allowing her to receive referral benefits for her own account creation.

Recommendations

To mitigate this vulnerability, implement a self-referral check for custom referral codes similar to the one used for non-custom codes:

if (referralCode.length != 0 && referral.referralCode.length == 0) {
if (isCustomReferralCode) {
CustomReferralConfiguration.Data storage customReferral =
CustomReferralConfiguration.load(string(referralCode));
- if (customReferral.referrer == address(0)) {
+ if (customReferral.referrer == address(0) || customReferral.referrer == msg.sender) {
revert Errors.InvalidReferralCode();
}
referral.referralCode = referralCode;
referral.isCustomReferralCode = true;
} else {
address referrer = abi.decode(referralCode, (address));
if (referrer == msg.sender) {
revert Errors.InvalidReferralCode();
}
referral.referralCode = referralCode;
referral.isCustomReferralCode = false;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.