Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Absence of Existence Check in GlobalConfigurationBranch::createCustomReferralCode Function Causes a Risk of Overwriting Existing Referral Codes

dimi6oni

Summary

The createCustomReferralCode function in the GlobalConfigurationBranch contract lacks an existence check when creating new custom referral codes. While the risk of unauthorized overwrites is mitigated by access control, the absence of an on-chain existence check could lead to accidental overwrites, potentially impacting the integrity of the referral system in the Zaros protocol.

Vulnerability Detail

The vulnerability exists in the createCustomReferralCode function.

While the function is protected by the onlyOwner modifier, it lacks checks for:

  1. Existence of the referral code

  2. Validity of the referral code (length, character set)

  3. Non-zero referrer address

Impact

Accidental overwrites, depending on the owner's management processes.

Despite the low probability, the potential impact could be significant:

  1. Accidental overwriting of existing referral relationships

  2. Potential for referral code "theft"

  3. Reduced integrity and reliability of the referral system

  4. Possible economic implications due to incorrect reward distributions

In the context of Zaros, a financial protocol dealing with perpetual futures trading, even low-probability risks warrant mitigation due to the potential financial implications.

Tool used

Manual Review

Recommendation

Despite the low probability, implementing an existence check is still highly recommended because:

  1. It provides an additional layer of security against both malicious and accidental overwrites.

  2. It enforces good practices and reduces reliance on off-chain processes to track and manage referral codes.

  3. The cost of implementing this check is minimal compared to the potential impact of an overwrite.

  4. It aligns with the principle of defense in depth in security design.

To address this vulnerability, implement comprehensive checks in the createCustomReferralCode function. Here's an improved version of the function incorporating best practices:

mapping(string => bool) private usedReferralCodes;
function createCustomReferralCode(address referrer, string memory customReferralCode) external onlyOwner {
require(referrer != address(0), "Referrer cannot be zero address");
require(bytes(customReferralCode).length >= 8, "Referral code too short");
require(!usedReferralCodes[customReferralCode], "Referral code already exists");
require(isAlphanumeric(customReferralCode), "Invalid characters in referral code");
CustomReferralConfiguration.load(customReferralCode).referrer = referrer;
usedReferralCodes[customReferralCode] = true;
emit LogCreateCustomReferralCode(referrer, customReferralCode);
}
function isAlphanumeric(string memory str) private pure returns (bool) {
bytes memory b = bytes(str);
for(uint i; i<b.length; i++){
if((b[i] < 0x30 || b[i] > 0x39) && //9-0
(b[i] < 0x41 || b[i] > 0x5A) && //A-Z
(b[i] < 0x61 || b[i] > 0x7A)) { //a-z
return false;
}
}
return true;
}

This implementation addresses the following:

  1. Checks for zero address referrer

  2. Enforces a minimum length for referral codes

  3. Prevents duplicate referral codes using a mapping

  4. Ensures referral codes only contain alphanumeric characters

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.