Unrestricted Access to Referral Data Update in SystemConfig::updateReferrerInfo
Summary
The SystemConfig::updateReferrerInfo function is not protected by the onlyOwner modifier, allowing users to change referral information without restrictions.
This lack of access control can lead to unauthorized modifications of referral data, resulting in the protocol not earning the appropriate fees when a Taker is created through the PreMarktes::createTaker function.
Vulnerability Details
The absence of the onlyOwner modifier in the updateReferrerInfo function permits unauthorized users to alter referral data.
This can lead to incorrect fee allocations when a Taker is created, as the referral information may have been modified inappropriately.
Impact
The lack of proper access control could result in the protocol missing out on fees that should be collected when Takers are created, leading to potential revenue loss and undermining the financial integrity of the protocol.
Tools Used
Manual Review
Recommendations
Implement Access Control: Add the onlyOwner modifier to the SystemConfig::updateReferrerInfo function to ensure that only the contract owner can modify referral information.
Code References
File Name: SystemConfig.sol
Line Numbers: Line 41
Lead Judging Commences
finding-SystemConfig-updateReferrerInfo-msgSender
Valid high severity. There are two impacts here due to the wrong setting of the `refferalInfoMap` mapping. 1. Wrong refferal info is always set, so the refferal will always be delegated to the refferer address instead of the caller 2. Anybody can arbitrarily change the referrer and referrer rate of any user, resulting in gaming of the refferal system I prefer #1500 description the most, be cause it seems to be the only issue although without a poc to fully describe all of the possible impacts
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.