Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

updateReferrerInfo doesn't handle referrer rate and authority rate, so protocol can't receive any platform fee.

0x1912

Summary

Protocol collects remaining platform fee after applying referrer fee and authority fee.

But all variables are sender's responsibility and validation is not so good for the protocol.

Vulnerability Details

totalRate consists of referrerRate (for referrer user) and authorityRate (for refered user).

However, upper limit can be set 100%(REFERRAL_RATE_DECIMAL_SCALER) in SystemConfig Contract.

function updateReferrerInfo(
address _referrer,
uint256 _referrerRate,
uint256 _authorityRate
) external {
if (_msgSender() == _referrer) {
revert InvalidReferrer(_referrer);
}
if (_referrer == address(0x0)) {
revert Errors.ZeroAddress();
}
if (_referrerRate < baseReferralRate) {
revert InvalidReferrerRate(_referrerRate);
}
uint256 referralExtraRate = referralExtraRateMap[_referrer];
uint256 totalRate = baseReferralRate + referralExtraRate;
@> if (totalRate > Constants.REFERRAL_RATE_DECIMAL_SCALER) {
revert InvalidTotalRate(totalRate);
}
if (_referrerRate + _authorityRate != totalRate) {
revert InvalidRate(_referrerRate, _authorityRate, totalRate);
}
ReferralInfo storage referralInfo = referralInfoMap[_referrer];
referralInfo.referrer = _referrer;
referralInfo.referrerRate = _referrerRate;
referralInfo.authorityRate = _authorityRate;
emit UpdateReferrerInfo(
msg.sender,
_referrer,
_referrerRate,
_authorityRate
);
}

While updating referral bonus, platform fee consists of referrerFee, authorityFee, and protocolFee.

function _updateReferralBonus(
uint256 platformFee,
uint256 depositAmount,
address stockAddr,
MakerInfo storage makerInfo,
ReferralInfo memory referralInfo,
ITokenManager tokenManager
) internal returns (uint256 remainingPlatformFee) {
if (referralInfo.referrer == address(0x0)) {
remainingPlatformFee = platformFee;
} else {
uint256 referrerReferralBonus = platformFee.mulDiv(
referralInfo.referrerRate,
Constants.REFERRAL_RATE_DECIMAL_SCALER,
Math.Rounding.Floor
);
/**
* @dev update referrer referral bonus
* @dev update authority referral bonus
*/
tokenManager.addTokenBalance(
TokenBalanceType.ReferralBonus,
referralInfo.referrer,
makerInfo.tokenAddress,
referrerReferralBonus
);
uint256 authorityReferralBonus = platformFee.mulDiv(
referralInfo.authorityRate,
Constants.REFERRAL_RATE_DECIMAL_SCALER,
Math.Rounding.Floor
);
tokenManager.addTokenBalance(
TokenBalanceType.ReferralBonus,
_msgSender(),
makerInfo.tokenAddress,
authorityReferralBonus
);
@> remainingPlatformFee =
platformFee -
referrerReferralBonus -
authorityReferralBonus;
/// @dev emit ReferralBonus
emit ReferralBonus(
stockAddr,
_msgSender(),
referralInfo.referrer,
authorityReferralBonus,
referrerReferralBonus,
depositAmount,
platformFee
);
}
}

if totalRate = referrerRate + authorityRate = REFERRAL_RATE_DECIMAL_SCALER, then remainingPlatformFee will be zero, and it means platform can't receive any fee.

Impact

Referral system makes protocol not profitable.

Tools Used

Manual review

Recommendations

Set the upper limit to less than 100% like the following, so make protocol profitable.

function updateReferrerInfo(
address _referrer,
uint256 _referrerRate,
uint256 _authorityRate
) external {
if (_msgSender() == _referrer) {
revert InvalidReferrer(_referrer);
}
if (_referrer == address(0x0)) {
revert Errors.ZeroAddress();
}
if (_referrerRate < baseReferralRate) {
revert InvalidReferrerRate(_referrerRate);
}
uint256 referralExtraRate = referralExtraRateMap[_referrer];
uint256 totalRate = baseReferralRate + referralExtraRate;
- if (totalRate > Constants.REFERRAL_RATE_DECIMAL_SCALER) {
+ if (totalRate > Constants.REFERRAL_RATE_DECIMAL_SCALER / 2) {
revert InvalidTotalRate(totalRate);
}
if (_referrerRate + _authorityRate != totalRate) {
revert InvalidRate(_referrerRate, _authorityRate, totalRate);
}
ReferralInfo storage referralInfo = referralInfoMap[_referrer];
referralInfo.referrer = _referrer;
referralInfo.referrerRate = _referrerRate;
referralInfo.authorityRate = _authorityRate;
emit UpdateReferrerInfo(
msg.sender,
_referrer,
_referrerRate,
_authorityRate
);
}
Updates

Lead Judging Commences

0xnevi Lead Judge
about 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

0x1912 Submitter
about 1 year ago
0xnevi Lead Judge
about 1 year ago
0xnevi Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-SystemConfig-updateReferrerInfo-wrong-referral-rate-combined-check

Valid medium, specific valid inputs by admin will still cause revert in updates to referral info due to incorrect totalRate computation and checks implemented. Note: Downgrade to low severity: This is a valid issue that highlights a valid inconsistency in the docs. In the docs, it was mentioned in the steps that referral rates can be adjusted up to a maximum of 30% as seen in [Step 4. ](https://tadle.gitbook.io/tadle/tadle-incentives-program/referral-program/create-and-manage-referral)but as of now, the minimum refferal rate is 30%. However, since refferals are entirely optional, if a minimum 30% refferal rate is established and the user deems it as too high, he can simply choose not to perform the refferal. Hence, I believe low severity to be appropriate.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.