Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

[H-1] `SystemConfig::updateReferrerInfo` can be called by anyone, thus disallowing authority rate

nilay27

Description:

The Referral system on tadle works in the following way:

user1 creates a referral code
assuming that user1 had brought in a lot of users to the platform, he had a referralExtraRate set to 10%
Now the user adjusts the referral distribution in the following way: 30% for referrerRate and 10% authorityRate and shares it with user2

Here authorityRate means that whenever user2 trades, they are supposed to get back 10% of the platform fee.

However, anyone malicious user3 can call the updateReferrerInfo for user2 and set the authority rate to 0.

Relevant code snippet:
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/SystemConfig.sol#L41-L80

The only checks in place as far as addresses are concerned are:

function updateReferrerInfo(

address _referrer,

uint256 _referrerRate,

uint256 _authorityRate

) external {

if (_msgSender() == _referrer) {

revert InvalidReferrer(_referrer);

}

if (_referrer == address(0x0)) {

revert Errors.ZeroAddress();

}

Impact:

This will cause severely impact the protocol as none of the users will be able earn any authorityRate

Given that authorityRate can be highly incentivised by the referrer so that more and more users use their referral link, this will break the system.

Proof of Concept:

In PreMarkets.sol, whenever a createTaker() is called that is when someone tries to match the offer created by createoffer() it internally calls _updateReferralBonus to add the referralBonus balance to the trader, they will expect to be able to withdraw it by calling TokenManager::withdraw() however they wont have any balance left:

uint256 authorityReferralBonus = platformFee.mulDiv(

// @audit -> anyone can set call `_updateReferralBonus` in `SystemConfig` and set authority rate to 0

referralInfo.authorityRate,

Constants.REFERRAL_RATE_DECIMAL_SCALER,

Math.Rounding.Floor

);

tokenManager.addTokenBalance(

TokenBalanceType.ReferralBonus,

_msgSender(), // send the authorityBonus to the trader

makerInfo.tokenAddress,

authorityReferralBonus

);

Recommended Mitigation:

Ideally when the referrer decides the split, only they should be able to update their referral system, and a mapping of referrerToReferred should be added so that whenever someone related to the referrer trades, they are mapped to the referrer's mapping.

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-SystemConfig-updateReferrerInfo-msgSender

Valid high severity. There are two impacts here due to the wrong setting of the `refferalInfoMap` mapping. 1. Wrong refferal info is always set, so the refferal will always be delegated to the refferer address instead of the caller 2. Anybody can arbitrarily change the referrer and referrer rate of any user, resulting in gaming of the refferal system I prefer #1500 description the most, be cause it seems to be the only issue although without a poc to fully describe all of the possible impacts

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.