Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

The referrer check to ensure that is not the owner of the position can fooled

draiakoo

Summary

The referrer check to ensure that is not the owner of the position can fooled

Vulnerability Details

When a user creates a trading account, there is the chance to set a referrer. However, there is a check to ensure that the passed referrer is not the caller of the execution.

function createTradingAccount(
bytes memory referralCode,
bool isCustomReferralCode
)
public
virtual
returns (uint128 tradingAccountId)
{
...
if (referralCode.length != 0 && referral.referralCode.length == 0) {
if (isCustomReferralCode) {
CustomReferralConfiguration.Data storage customReferral =
CustomReferralConfiguration.load(string(referralCode));
if (customReferral.referrer == address(0)) {
revert Errors.InvalidReferralCode();
}
referral.referralCode = referralCode;
referral.isCustomReferralCode = true;
} else {
address referrer = abi.decode(referralCode, (address));
@> if (referrer == msg.sender) {
@> revert Errors.InvalidReferralCode();
@> }
referral.referralCode = referralCode;
referral.isCustomReferralCode = false;
}
emit LogReferralSet(msg.sender, referral.getReferrerAddress(), referralCode, isCustomReferralCode);
}
return tradingAccountId;
}

I assume that this check is made to ensure that the referrer is not the owner of the trading account. However, it can be simply bypassed by creating the trading account with an alt account, set the referrer to the main account and then transfer the position to the main account.

Impact

Low

Tools Used

Manual review

Recommendations

I would recommend to erase the referrer when the position is transfered.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Referrals should be set per trading account id instead of per trader

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.