Submission Details
Severity:
Referral is not updated when trading account is transferred
Summary
When account is being transferred notifyAccountTransfer doesn’t check whether this account have active referral attached to it and it will continue to use the old referral.
Vulnerability Details
Looking at the notifyAccountTransfer:
function notifyAccountTransfer(address to, uint128 tradingAccountId) external {
_onlyTradingAccountToken();
TradingAccount.Data storage tradingAccount = TradingAccount.loadExisting(tradingAccountId);
tradingAccount.owner = to;
}
We can see that it doesn’t check if the account have active referral and also won’t change or disable it.
Impact
Transferred trading account will continue to use the old referral and bring benefits (ZRS tokens or other incentives that Zaros team provides).
Tools Used
Manual Review
Recommendations
Add code to disable/change the referral when account is being transferred to other people.
Updates
Lead Judging Commences
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
Referrals should be set per trading account id instead of per trader
Appeal created
slavcheww
12 months ago
inallhonesty
12 months ago
inallhonesty 11 months ago
Submission Judgement Published Assigned finding tags:
Referrals should be set per trading account id instead of per trader
Prize pool breakdown
Total prize
60,000 USDC
nSLOC
2,87821 USDC / LOC
50,000 USDC
5,500 USDC
4,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.