Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Referral system is broken, referrer will always refer to himself and get discount on fees

bkweb3

Summary

Tadle allows user to set referrers via SystemConfig::updateReferrerInfo. In that way referrers are able to earn percentage of platformFee during PreMarkets::createTaker function.

The issue is that because of a mistake in SystemConfig::updateReferrerInfo code, it is only possible to refer the referrer himself.

Vulnerability Details

SystemConfig::updateReferrerInfo function sets referrer/referee info as follows:

function updateReferrerInfo(
address _referrer,
uint256 _referrerRate,
uint256 _authorityRate
) external {
...
ReferralInfo storage referralInfo = referralInfoMap[_referrer];
referralInfo.referrer = _referrer;
referralInfo.referrerRate = _referrerRate;
referralInfo.authorityRate = _authorityRate;
...
}

Note that _referrer is set as key in the mapping and as referralInfo.referrer value -> This means that referrer will refer himself all the time.

Furthermore, the referralInfo is used in SystemConfig::createTaker function to payout the referrer a percentage of the platform fee. PreMarkets::_updateReferralBonus function is responsible for managing the referral fee. Because of the issue inside SystemConfig::updateReferrerInfo, this is the place where user will get the discount on the protocol fees.

uint256 referrerReferralBonus = platformFee.mulDiv(
referralInfo.referrerRate,
Constants.REFERRAL_RATE_DECIMAL_SCALER,
Math.Rounding.Floor
);
/**
* @dev update referrer referral bonus
* @dev update authority referral bonus
*/
tokenManager.addTokenBalance(
TokenBalanceType.ReferralBonus,
referralInfo.referrer,
makerInfo.tokenAddress,
referrerReferralBonus
);
uint256 authorityReferralBonus = platformFee.mulDiv(
referralInfo.authorityRate,
Constants.REFERRAL_RATE_DECIMAL_SCALER,
Math.Rounding.Floor
);
tokenManager.addTokenBalance(
TokenBalanceType.ReferralBonus,
_msgSender(),
makerInfo.tokenAddress,
authorityReferralBonus
);

Impact

User will get a discount on platform fees and referral system won't work as intended.

Tools Used

Manual Review

Recommendations

Inside the SystemConfig::updateReferrerInfo do the following changes:

- ReferralInfo storage referralInfo = referralInfoMap[_referrer];
+ ReferralInfo storage referralInfo = referralInfoMap[msg.sender];
referralInfo.referrer = _referrer;
referralInfo.referrerRate = _referrerRate;
referralInfo.authorityRate = _authorityRate;

This ensures that referrer cannot refer the same address and referral system will work as intended

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-SystemConfig-updateReferrerInfo-msgSender

Valid high severity. There are two impacts here due to the wrong setting of the `refferalInfoMap` mapping. 1. Wrong refferal info is always set, so the refferal will always be delegated to the refferer address instead of the caller 2. Anybody can arbitrarily change the referrer and referrer rate of any user, resulting in gaming of the refferal system I prefer #1500 description the most, be cause it seems to be the only issue although without a poc to fully describe all of the possible impacts

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.