There is no mechanism to remove referrer and set referrer rate as `0` if it is set once
Github link
Summary
Users can set their referrer and a referrer rate by calling the SystemConfig.updateReferrerInfo() function. Eachtime a taker call the PreMarkets.createTaker() function to create an order, a bonus is added to his referrer.
However, there is no mechanism to remove a referrer and set referrer rate as 0.
As a result, users should pay referrerReferralBonus everytime they create orders once they set their referrer once and can't remove referrer and can't set a referrer rate as 0 if they want.
Vulnerability Details
Users can set their referrer and a referrer rateby calling theSystemConfig.updateReferrerInfo()function. Here,_referrerRateshould be equal or greater thanbaseReferralRatewhich is300_000(30%)by default fromL54. As totalRateis sum ofbaseReferralRateandreferralExtraRate, it also should be equal or greater than 300_000(30%)fromL59. Once user's referrer and referrer rate is set, _referrercan't be set asaddress(0)again fromL50. Furthermore, as user's referrer rate should be equal or greater than 300_000(30%), it can't be set as 0`.
As a result, if a user sets his referrer and a referrer rate once, he can't remove his referrer and can't set his referrer rate as 0. So they should pay at least 30% of their deposit amount as referrer bonus more whenever they create orders.
Impact
There is no mechanism to remove referrer and set referrer rate as 0 if it is set once.
As a result, users should pay at least 30% of their deposit amount as referrer bonus more whenever they create orders.
They can't remove referrer and can't set a referrer rate as 0 whenever they want.
Tools Used
Manual Review
Recommendations
It is recommended to add the mechanism to remove referrer.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.