Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

The `updateReferralExtraRateMap` Doest Not Take Effect For Previously Set `referralExtraRateMap`

jesjupyter

Summary

In the SystemConfig::updateReferralExtraRateMap function, the owner can update the referralExtraRateMap for a specific referrer. However, this change does not impact the referralInfoMap entries that were set before the update unless the updateReferrerInfo function is called again. This can lead to inconsistencies and potential fund loss for the referrer due to outdated referral rates.

Vulnerability Details

The function updateReferrerInfo enforces the restriction that _referrerRate + _authorityRate must equal baseReferralRate + referralExtraRate:

function updateReferrerInfo(

address _referrer,

uint256 _referrerRate,

uint256 _authorityRate

) external {

...

uint256 referralExtraRate = referralExtraRateMap[_referrer];

uint256 totalRate = baseReferralRate + referralExtraRate;

if (totalRate > Constants.REFERRAL_RATE_DECIMAL_SCALER) {

revert InvalidTotalRate(totalRate);

}

if (_referrerRate + _authorityRate != totalRate) {

revert InvalidRate(_referrerRate, _authorityRate, totalRate);

}

...

}

However, the referralExtraRateMap can only be updated by the owner through updateReferralExtraRateMap:

function updateReferralExtraRateMap(

address _referrer,

uint256 _extraRate

) external onlyOwner {

uint256 totalRate = _extraRate + baseReferralRate;

if (totalRate > Constants.REFERRAL_RATE_DECIMAL_SCALER) {

revert InvalidTotalRate(totalRate);

}

referralExtraRateMap[_referrer] = _extraRate;

emit UpdateReferralExtraRateMap(_referrer, _extraRate);

}

The issue arises because any updates to referralExtraRateMap do not automatically affect previously set referralInfoMap. For these changes to take effect, the updateReferrerInfo function must be called for each referral again, which could lead to:

Inconsistency: The referralInfoMap may contain outdated information that does not reflect the latest referralExtraRateMap values.
Potential Fund Loss: If the outdated referralInfoMap is used in subsequent transactions, it could result in incorrect referral bonuses, leading to financial loss for the referrer.

Impact

The update to referralExtraRateMap does not affect previously set referralInfoMap unless the updateReferrerInfo function is called again. This can cause inconsistencies and potential financial losses for the referrer due to outdated referral rates being used.

Tools Used

Manual

Recommendations

The _authorityRate could be deduced from baseReferralRate + referralExtraRate[_referral] - referrerRate instead of storing it directly(of course, some additional cases should be taken into account). This approach ensures that the referralInfoMap is always in sync with the latest referralExtraRateMap values, eliminating the need to update referralInfoMap manually after each change.

Updates

Lead Judging Commences

0xnevi Lead Judge

over 1 year ago

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!