Summary

The referral logic has no use nor benefit, does not give reward neither to user nor referrer and the same code can be used by the same account multiple times

Vulnerability Details

In order to start trading, the user must first create a trading account TradingAccountBranch::createTradingAccount, during this process the user can include a referal code, given to them by a referrer. Now the issue is that this is pointless, there are no benefits to the user for using the referal code, nor to the referrer for giving them; an account created with referal is the same as one created without, there is no parameter in tradingAccount struct that indicates if the user used the code. Additionally, the same referral code can be used by the same user for creating more than one account, this is shown in the followig code. You may add it to createTradingAccount.t.sol for test.

Impact

The whole referral logic has no practical use within the protocol

Tools Used

Manual review

Recommendations

First you may add parameters in the account struct, indicating if it used a referral code and who the referrer was, this in order to differentiate the users who used a code, so that they can be included in any reward to be implemented. Second, for referrers, you may add a counter to indicate how many times their code has been used, within a parameter pointing towards the referrer, so that they can be included in any reward to be implemented. Finally, when creating an account, a check is require, to see if the user's address has already used said code in other accounts own by him (for this a mapping would be necessary: address=>accountId[ ]), to prevent foul play in any reward system to be implemented.