Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of Referrer Existence Validation Enabling Phantom Referrals

dimi6oni

Summary

The identified vulnerability arises from the absence of a verification mechanism to ensure that referrer addresses provided in non-custom referral codes exist within the system. This flaw allows "phantom" referrals, potentially leading to inaccurate tracking of referrals and improper allocation of rewards. The vulnerability can compromise the integrity of the referral program and result in financial losses or reputational damage.

Vulnerability Detail

The vulnerability is located in the createTradingAccount function, specifically in the section where the referral code is processed. Below is the relevant code snippet:

if (referralCode.length != 0 && referral.referralCode.length == 0) {
if (isCustomReferralCode) {
CustomReferralConfiguration.Data storage customReferral =
CustomReferralConfiguration.load(string(referralCode));
if (customReferral.referrer == address(0)) {
revert Errors.InvalidReferralCode();
}
referral.referralCode = referralCode;
referral.isCustomReferralCode = true;
} else {
address referrer = abi.decode(referralCode, (address));
if (referrer == msg.sender) {
revert Errors.InvalidReferralCode();
}
// Lack of referrer existence validation
referral.referralCode = referralCode;
referral.isCustomReferralCode = false;
}
emit LogReferralSet(msg.sender, referral.getReferrerAddress(), referralCode, isCustomReferralCode);
}

In this function:

  1. The custom referral codes undergo validation to ensure they are associated with a legitimate referrer by checking if the customReferral.referrer is not the zero address.

  2. For non-custom referral codes, the function decodes the provided referralCode to obtain the referrer address. However, it only checks if the referrer is not the same as msg.sender and does not verify whether the referrer address is an existing user within the system.

This missing validation step allows for the possibility of non-existent or "phantom" referrer addresses being recorded in the system, leading to potential inaccuracies and abuse.

Impact

The lack of referrer existence validation has the following potential consequences:

  1. Financial Loss: Unauthorized or unintended allocation of rewards to non-existent users, resulting in financial losses for the protocol.

  2. Integrity Risks: Skewed referral statistics due to phantom referrals can distort the true performance and effectiveness of the referral program, leading to misinformed decisions.

  3. Reputation Damage: The discovery and potential exploitation of this flaw could harm the protocol's reputation, as users may perceive the system as insecure or manipulable.

Tool used

Manual Review

Recommendation

To mitigate this vulnerability, implement a check to ensure that the decoded referrer address corresponds to an existing user within the system. This code ensures that only valid, existing user accounts can be set as referrers, thereby preventing the exploitation of phantom referrals and maintaining the integrity and accuracy of the referral program.

if (referralCode.length != 0 && referral.referralCode.length == 0) {
if (isCustomReferralCode) {
CustomReferralConfiguration.Data storage customReferral =
CustomReferralConfiguration.load(string(referralCode));
if (customReferral.referrer == address(0)) {
revert Errors.InvalidReferralCode();
}
referral.referralCode = referralCode;
referral.isCustomReferralCode = true;
} else {
address referrer = abi.decode(referralCode, (address));
if (referrer == msg.sender) {
revert Errors.InvalidReferralCode();
}
// Add referrer existence validation
if (!TradingAccount.exists(referrer)) {
revert Errors.InvalidReferralCode(); // Add appropriate error message
}
referral.referralCode = referralCode;
referral.isCustomReferralCode = false;
}
emit LogReferralSet(msg.sender, referral.getReferrerAddress(), referralCode, isCustomReferralCode);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.