Incorrect set up and logic of `referralInfoMap` in `SystemConfig::updateReferrerInfo` function
Summary
The
referralInfocontains 3 members:referrer,referrerRateandauthorityRate.Here referrer is the person which has referred the other person.
The referralInfoMap contains a mapping from an address to
ReferralInfo, where it is expected to return the 3 members mentioned above for a person who is referred by thereferrer, but thereferralInfoMapsets the referrer address to all the 3 members which is incorrect.As well as anyone can call the function to update the mapping for any address and set arbitrary value for whole mapping members as well as the address for which the mapping is mapped to
referralInfo
Vulnerability Details
-
The vulnerability is present in the
updateReferrerInfofunction where it allows the caller to set up any arbitrary values for thereferrer,referrerRateandauthorityRate, as well as the address for which mapping is mapped from is also set to asreferrer. -
As a result of which anyone can maliciously set values for anyone, but where it is expected that the referrer should only be able to set value for the person to whom he is referring.
-
When a user calls the
updateReferrerInfofunction, it sets the mapping asreferralInfoMap[referrer], and sets up all the values as passed. -
The referral bonus is allocated during the call to
createTakervia_updateReferralBonusfunction, where it uses the values as:
The vulnerability occurs due to the fact that the function allows to set the referrer to any arbitrary address by the caller to their own referral, where it was expected that the referrer should be the
msg.senderand the caller sets up the mapping's address from which is mapped to the authority rate which is expected to be passed in the function instead of referrer.
Therefore, it was expected that the caller for updateReferrerInfo function should only be the referrer and sets the authority to whom he is referring to.
Impact
Incorrect values are set in the
referralInfoMapwhich leads to incorrect allocation increateTakerfunction's referral allocation.As a user can call the function with any arbitrary address, therefore they can set up their own other address as referrer where
referreras well as the authority to whom referrer is expected to refer to is set to a single address, so a user gets whole discount on platform fee for both referrer and their own (i.e. authority).Also, anyone can front-run the
updateReferrerInfofunction before a user callscreateTakerand can maliciously update the authorityRate or the referralRate as a result of which the taker will experience different results.
Tools Used
Manual Review
Recommendations
Make the referrer to call the updateReferrerInfo as msg.sender, and pass authority as a parameter to be set up as the one to whom referrer is referring to.
Lead Judging Commences
finding-SystemConfig-updateReferrerInfo-msgSender
Valid high severity. There are two impacts here due to the wrong setting of the `refferalInfoMap` mapping. 1. Wrong refferal info is always set, so the refferal will always be delegated to the refferer address instead of the caller 2. Anybody can arbitrarily change the referrer and referrer rate of any user, resulting in gaming of the refferal system I prefer #1500 description the most, be cause it seems to be the only issue although without a poc to fully describe all of the possible impacts
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.