Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

AuthorityRate can be bypassed

aresaudits

Summary

Vulnerability Details

The `updateReferrerInfo` function in SystemConfig.sol allows updating the referrer and authority rates. However, it lacks a check to ensure that the _authorityRate meets a minimum threshold. This oversight allows users to set the _authorityRate to 0 and allocate the entire rate to _referrerRate, which can lead to unfair distribution of referral rewards.

/**
* @notice Update referrer setting
* @param _referrer Referrer address
* @param _referrerRate Referrer rate
* @param _authorityRate Authority rate
* @notice _referrerRate + _authorityRate = baseReferralRate + referralExtraRate
* @notice _referrer != _msgSender()
*/
function updateReferrerInfo(
address _referrer,
uint256 _referrerRate,
uint256 _authorityRate
) external {
if (_msgSender() == _referrer) {
revert InvalidReferrer(_referrer);
}
if (_referrer == address(0x0)) {
revert Errors.ZeroAddress();
}
if (_referrerRate < baseReferralRate) {
revert InvalidReferrerRate(_referrerRate);
}
uint256 referralExtraRate = referralExtraRateMap[_referrer];
uint256 totalRate = baseReferralRate + referralExtraRate;
if (totalRate > Constants.REFERRAL_RATE_DECIMAL_SCALER) {
revert InvalidTotalRate(totalRate);
}
if (_referrerRate + _authorityRate != totalRate) {
revert InvalidRate(_referrerRate, _authorityRate, totalRate);
}
ReferralInfo storage referralInfo = referralInfoMap[_referrer];
referralInfo.referrer = _referrer;
referralInfo.referrerRate = _referrerRate;
referralInfo.authorityRate = _authorityRate;
emit UpdateReferrerInfo(
msg.sender,
_referrer,
_referrerRate,
_authorityRate
);
}

xample Scenario

Assume the following values:

  • baseReferralRate = 3000 (30%)

  • referralExtraRateMap[_referrer] = 2000 (20%)

  • REFERRAL_RATE_DECIMAL_SCALER = 1,000,000

A user calls the function with:

  • _referrer = 0x123...abc

  • _referrerRate = 5000 (50%)

  • _authorityRate = 0 (0%)

Steps:

  1. Caller Check:

    • The caller is not _referrer, so the function proceeds.

  2. Zero Address Check:

    • _referrer is a valid address, so the function proceeds.

  3. Referrer Rate Check:

    • _referrerRate (5000) is not less than baseReferralRate (3000), so the function proceeds.

  4. Calculate Total Rate:

    • referralExtraRate for _referrer is 2000.

    • totalRate = baseReferralRate + referralExtraRate = 3000 + 2000 = 5000.

  5. Total Rate Check:

    • totalRate (5000) is not greater than REFERRAL_RATE_DECIMAL_SCALER (1,000,000), so the function proceeds.

  6. Rate Sum Check:

    • _referrerRate + _authorityRate = 5000 + 0 = 5000.

    • This equals totalRate (5000), so the function proceeds.

  7. Update Referrer Info:

    • The function updates referralInfoMap[_referrer] with the new rates.

    • It emits an UpdateReferrerInfo event.

Impact

In this scenario, the _authorityRate is set to 0, allowing the entire rate to be allocated to _referrerRate. This can lead to unfair distribution of rewards and potential exploitation of the referral system.

Tools Used

Recommendations

Introduce a baseAuthorityRate and add a check to ensure that _authorityRate is not below this minimum threshold.

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-SystemConfig-updateReferrerInfo-msgSender

Valid high severity. There are two impacts here due to the wrong setting of the `refferalInfoMap` mapping. 1. Wrong refferal info is always set, so the refferal will always be delegated to the refferer address instead of the caller 2. Anybody can arbitrarily change the referrer and referrer rate of any user, resulting in gaming of the refferal system I prefer #1500 description the most, be cause it seems to be the only issue although without a poc to fully describe all of the possible impacts

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.