Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Loss of funds for the protocol because everyone can become a referral for themselves

ge6a

Summary

According to Tadle's documentation, the referral program works as follows:

  • Users can share their referral link and refer their friends and peers to trade on Tadle.

  • Once the peers have signed up and completed a trade on Tadle, the referrer will earn a 30% commission rate on their referred peers’ transaction fees.

In the current implementation of Tadle, this does not work as described, and the commission always goes to the same user - the taker. Consequently, any user can register as a referral from another address and receive a minimum 30% referral commission. This leads to a loss of funds for the protocol because the referral commissions are paid as a percentage of the fees that would otherwise go to the protocol.

Vulnerability Details

I will support the above statements with excerpts from the source code. Here, it can be seen that the referral information is obtained by passing msg.sender to getReferralInfo.

ReferralInfo memory referralInfo = systemConfig.getReferralInfo(
_msgSender()
);

The function getReferralInfo get that address to pull referrer address which is same as the msg.sender that is sent:

function getReferralInfo(
address _referrer
) external view returns (ReferralInfo memory) {
return referralInfoMap[_referrer];
}
ReferralInfo storage referralInfo = referralInfoMap[_referrer];
referralInfo.referrer = _referrer;
referralInfo.referrerRate = _referrerRate;
referralInfo.authorityRate = _authorityRate;

Finally in PreMarkets._updateReferralBonus() can be seen that the referral bonus comes from the protocol profits:

uint256 referrerReferralBonus = platformFee.mulDiv(
referralInfo.referrerRate,
Constants.REFERRAL_RATE_DECIMAL_SCALER,
Math.Rounding.Floor
);
/**
* @dev update referrer referral bonus
* @dev update authority referral bonus
*/
tokenManager.addTokenBalance(
TokenBalanceType.ReferralBonus,
referralInfo.referrer,
makerInfo.tokenAddress,
referrerReferralBonus
);
uint256 authorityReferralBonus = platformFee.mulDiv(
referralInfo.authorityRate,
Constants.REFERRAL_RATE_DECIMAL_SCALER,
Math.Rounding.Floor
);
tokenManager.addTokenBalance(
TokenBalanceType.ReferralBonus,
_msgSender(),
makerInfo.tokenAddress,
authorityReferralBonus
);

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L858-L886

Impact

Loss of funds for the protocol

Tools Used

Manual review

Recommendations

Fix the referral logic so that it uses the real referrer identification from the link as mentioned in the docs.

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-SystemConfig-updateReferrerInfo-msgSender

Valid high severity. There are two impacts here due to the wrong setting of the `refferalInfoMap` mapping. 1. Wrong refferal info is always set, so the refferal will always be delegated to the refferer address instead of the caller 2. Anybody can arbitrarily change the referrer and referrer rate of any user, resulting in gaming of the refferal system I prefer #1500 description the most, be cause it seems to be the only issue although without a poc to fully describe all of the possible impacts

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.