Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`SystemConfig::updateReferrerInfo` Lacks Access Control, Allowing Referrers to Modify Referral Rate Using Another Address

simon0417

Relevant GitHub Links

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/SystemConfig.sol#L41

Summary

In the SystemConfig::updateReferrerInfo function, the referrer address is prohibited from modifying their own referral rate according to the NatSpec documentation. However, this restriction can be easily circumvented by invoking the function with a different address.

Vulnerability Details

The function is designed to revert when the caller’s address matches the provided referrer address. Despite this, a caller can easily create a new address and call the function. Additionally, any user is capable of calling this function to modify the referral information of other users.

function updateReferrerInfo(

address _referrer,

uint256 _referrerRate,

uint256 _authorityRate

) external {

@> if (_msgSender() == _referrer) {

revert InvalidReferrer(_referrer);

}

if (_referrer == address(0x0)) {

revert Errors.ZeroAddress();

}

if (_referrerRate < baseReferralRate) {

revert InvalidReferrerRate(_referrerRate);

}

uint256 referralExtraRate = referralExtraRateMap[_referrer];

uint256 totalRate = baseReferralRate + referralExtraRate;

if (totalRate > Constants.REFERRAL_RATE_DECIMAL_SCALER) {

revert InvalidTotalRate(totalRate);

}

if (_referrerRate + _authorityRate != totalRate) {

revert InvalidRate(_referrerRate, _authorityRate, totalRate);

}

ReferralInfo storage referralInfo = referralInfoMap[_referrer];

referralInfo.referrer = _referrer;

referralInfo.referrerRate = _referrerRate;

referralInfo.authorityRate = _authorityRate;

emit UpdateReferrerInfo(

msg.sender,

_referrer,

_referrerRate,

_authorityRate

);

}

POC

copy and paste the code below to file PreMartkets.t.sol and run it.

import{ReferralInfo} from "../src/interfaces/ISystemConfig.sol";

function test_updateReferralInfo() public {

vm.prank(user1);

//the owner update the referral extra rate to 500000

systemConfig.updateReferralExtraRateMap(user2, 500_000);

ReferralInfo memory referralInfoBefore = systemConfig.getReferralInfo(user2);

vm.prank(user3);

//a random user tries to update the referrer rate and authority rate

systemConfig.updateReferrerInfo(user2, 400_000, 400_000);

ReferralInfo memory referralInfoAfter = systemConfig.getReferralInfo(user2);

//a random user update the referralInfo of user2

assert(referralInfoAfter.referrerRate != referralInfoBefore.referrerRate);

assert(referralInfoAfter.authorityRate != referralInfoBefore.authorityRate);

}

Impact

• Likelihood: High
The vulnerability is easily exploitable since a caller can create a new address to bypass the restriction.

• Impact: Medium
A referrer could manipulate the referral bonus by altering the ratio between the referral rate and the authority rate. Moreover, any user can call this function to alter another user’s referral information.

Tools Used

Manual Review

Recommendations

If access control is necessary, it should be implemented by restricting function calls to authorized users, rather than blocking specific addresses. Blocking an address is ineffective as a malicious user can simply generate a new address to bypass the restriction.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-SystemConfig-updateReferrerInfo-msgSender

Valid high severity. There are two impacts here due to the wrong setting of the `refferalInfoMap` mapping. 1. Wrong refferal info is always set, so the refferal will always be delegated to the refferer address instead of the caller 2. Anybody can arbitrarily change the referrer and referrer rate of any user, resulting in gaming of the refferal system I prefer #1500 description the most, be cause it seems to be the only issue although without a poc to fully describe all of the possible impacts

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.