Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Access control type vulnerability in `SystemConfig:updateReferrerInfo()`.

nikhil20

Summary

This vulnerability arises from the SystemConfig:updateReferrerInfo() function, which allows arbitrary users to update critical parameters that control the distribution of platform fees. Specifically, the referrerRate and authorityRate settings can be manipulated by attackers to unjustly allocate rewards and funds.

Vulnerability Details

The SystemConfig:updateReferrerInfo() function is responsible for updating the referrer setting, specifically the referralInfo.referrerRate and referralInfo.authorityRate. These parameters are crucial as they directly influence the distribution of rewards and funds. Unauthorized or malicious manipulation of these values can result in significant financial losses for users.

In the PreMarkets:createTaker function, the platformFee is calculated as follows:

depositAmount.mulDiv(

platformFeeRate,

Constants.PLATFORM_FEE_DECIMAL_SCALER // 1_000_000

);

This platformFee is then distributed between the referrer (the entity that referred msg.sender) and the current user (msg.sender) as referrerReferralBonus and authorityReferralBonus. Both bonuses are calculated using the following formulas:

Referrer Referral Bonus:

uint256 referrerReferralBonus = platformFee.mulDiv(

referralInfo.referrerRate,

Constants.REFERRAL_RATE_DECIMAL_SCALER,

Math.Rounding.Floor

);

Authority Referral Bonus:

uint256 authorityReferralBonus = platformFee.mulDiv(

referralInfo.authorityRate,

Constants.REFERRAL_RATE_DECIMAL_SCALER, // 1_000_000

Math.Rounding.Floor

);

The calculated bonuses are then added to the respective balances of the referrer and msg.sender. However, since anyone can invoke the SystemConfig:updateReferrerInfo() function and supply arbitrary values for _referrer, _referrerRate, and _authorityRate, this data can be manipulated to favor the attacker, leading to the diversion of funds.

Impact

Divert funds by manipulating the referral rates
Potentially cause a loss of trust in the platform due to unfair distribution of rewards.
Unjustly increase their own or another party's rewards at the expense of others.

Tools Used

Manual

Recommendations

Use restriction is calling of this function SystemConfig:updateReferrerInfo().

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-SystemConfig-updateReferrerInfo-msgSender

Valid high severity. There are two impacts here due to the wrong setting of the `refferalInfoMap` mapping. 1. Wrong refferal info is always set, so the refferal will always be delegated to the refferer address instead of the caller 2. Anybody can arbitrarily change the referrer and referrer rate of any user, resulting in gaming of the refferal system I prefer #1500 description the most, be cause it seems to be the only issue although without a poc to fully describe all of the possible impacts

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.