Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Lack of Uniqueness Check in GlobalConfigurationBranch::createCustomReferralCode

ayoashy

Summary

The GlobalConfigurationBranch::createCustomReferralCode function lacks essential validation checks for the customReferralCode. Specifically, it does not verify that the customReferralCode is not empty, and it fails to check if the customReferralCode is already in use. This could allow for the creation of empty or duplicate referral codes, potentially leading to conflicts and unintended behavior in the referral system.

Vulnerability Details

The function createCustomReferralCode is designed to create a custom referral code for a specified referrer. However, it does not perform necessary checks to ensure the integrity and uniqueness of the customReferralCode.

Here is a relevant code snippet

/// @notice Creates a custom referral code.

/// @param referrer The address of the referrer.

/// @param customReferralCode The custom referral code.

function createCustomReferralCode(address referrer, string memory customReferralCode) external onlyOwner {

//audit no check on the customCodeReferralCode

//audit no check if referralCode is already being used??

CustomReferralConfiguration.load(customReferralCode).referrer = referrer;

emit LogCreateCustomReferralCode(referrer, customReferralCode);

}

https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/GlobalConfigurationBranch.sol#L629-L637

Impact

Lack of existing `customReferralCode` means referrers might lose their custom codes unexpectedly potentially leading to loss of referral relationships and rewards.

Tools Used

Manual Review

Recommendations

Implement checks for both empty strings and existing referral codes. Here's an improved version of the function:

/// @notice Creates a custom referral code.

/// @param referrer The address of the referrer.

/// @param customReferralCode The custom referral code.

function createCustomReferralCode(address referrer, string memory customReferralCode) external onlyOwner {

// Check for empty custom referral code

if (bytes(customReferralCode).length == 0) {

revert Errors.EmptyInput("customReferralCode");

}

// Check if custom referral code is already taken

if (CustomReferralConfiguration.load(customReferralCode).referrer != address(0)) {

revert Errors.CustomReferralCodeAlreadyExists();

}

CustomReferralConfiguration.load(customReferralCode).referrer = referrer;

emit LogCreateCustomReferralCode(referrer, customReferralCode);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.