Referral info is set to the wrong address
Summary
Referral info is set to the wrong address.
Vulnerability Details
In SystemConfig.updateReferrerInfo the referral info is incorrectly set to the _referrer address instead of the _msgSender() address. Meaning that all referrers will refer to themselves and that anyone can set the referral of anyone else.
Impact
Anyone can set the referral of anyone else, which completely breaks the referral system.
Tools Used
Manual inspection.
Recommendations
Lead Judging Commences
finding-SystemConfig-updateReferrerInfo-msgSender
Valid high severity. There are two impacts here due to the wrong setting of the `refferalInfoMap` mapping. 1. Wrong refferal info is always set, so the refferal will always be delegated to the refferer address instead of the caller 2. Anybody can arbitrarily change the referrer and referrer rate of any user, resulting in gaming of the refferal system I prefer #1500 description the most, be cause it seems to be the only issue although without a poc to fully describe all of the possible impacts
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.