Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can change referal fees

tyoma

Summary

Anyone can change referal fees for the user with extra referal rate

Vulnerability Details

updateReferrerInfo function checks that msgSender is NOT referer, so anyone except for the user themselves could change their referer info

You can verify it by adding this simple test to PreMarkets.t.sol:

function test_anyone_can_change_referer() public {
vm.startPrank(user1);
systemConfig.updateReferralExtraRateMap(address(0x1), 300);
vm.stopPrank();
vm.startPrank(user2);
systemConfig.updateReferrerInfo(address(0x1), 300001, 299);
vm.stopPrank();
}

user1 is the owner here, user2 is not, as in the other tests

Impact

The referer wouldn't get the expected amount of fees from their referals

Tools Used

Manual check

Recommendations

Change if (_msgSender() == _referrer) revert(...) to if (_msgSender() != _referrer) revert(...)

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-SystemConfig-updateReferrerInfo-msgSender

Valid high severity. There are two impacts here due to the wrong setting of the `refferalInfoMap` mapping. 1. Wrong refferal info is always set, so the refferal will always be delegated to the refferer address instead of the caller 2. Anybody can arbitrarily change the referrer and referrer rate of any user, resulting in gaming of the refferal system I prefer #1500 description the most, be cause it seems to be the only issue although without a poc to fully describe all of the possible impacts

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.