Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

No Access Control and Validation in `SystemConfig:updateReferrerInfo` function

0xbeastboy

Github

Summary

The SystemConfig:updateReferrerInfo function is designed to update referral settings, including referrer rates and authority rates. However, the function is currently exposed as external without any access control restrictions. This lack of access control means that any address can call the function, posing significant risks to the integrity and security of the contract.

Vulnerability Details

The updateReferrerInfo function is marked external and lacks any access control modifiers such as onlyOwner or role-based access control checks. This implies that any address, including unauthorized users and potentially malicious actors, can call this function.

Without restrictions, attackers could exploit the function to manipulate the referral system. They can set fraudulent or inappropriate referral rates and hijack referral information for their benefit.

The function allows setting referrer rates (_referrerRate) and authority rates (_authorityRate) without validations. Users could set rates that violate the expected sum conditions, leading to inconsistent or corrupted referral data.

See the following code:

function updateReferrerInfo(
address _referrer,
uint256 _referrerRate,
uint256 _authorityRate
) external {
if (_msgSender() == _referrer) {
revert InvalidReferrer(_referrer);
}
if (_referrer == address(0x0)) {
revert Errors.ZeroAddress();
}
if (_referrerRate < baseReferralRate) {
revert InvalidReferrerRate(_referrerRate);
}
uint256 referralExtraRate = referralExtraRateMap[_referrer];
uint256 totalRate = baseReferralRate + referralExtraRate;
if (totalRate > Constants.REFERRAL_RATE_DECIMAL_SCALER) {
revert InvalidTotalRate(totalRate);
}
if (_referrerRate + _authorityRate != totalRate) {
revert InvalidRate(_referrerRate, _authorityRate, totalRate);
}
ReferralInfo storage referralInfo = referralInfoMap[_referrer];
referralInfo.referrer = _referrer;
referralInfo.referrerRate = _referrerRate;
referralInfo.authorityRate = _authorityRate;
emit UpdateReferrerInfo(
msg.sender,
_referrer,
_referrerRate,
_authorityRate
);
}

Impact

Unauthorized users could change referral rates and authority settings, potentially attacking the referral system's design and purpose. They can update the rates too much high in order to benefit from the system. They can even set the rate to 0 to cause precision loss and incorrect calculations in the system. Manipulation of referral rates would lead to financial losses for the users' incentives or rewards.

Tools Used

Manual Review

Recommendations

Restrict this function's access by using onlyOwner modifier or use a specific role for it. And strictly validate the params too.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-SystemConfig-updateReferrerInfo-msgSender

Valid high severity. There are two impacts here due to the wrong setting of the `refferalInfoMap` mapping. 1. Wrong refferal info is always set, so the refferal will always be delegated to the refferer address instead of the caller 2. Anybody can arbitrarily change the referrer and referrer rate of any user, resulting in gaming of the refferal system I prefer #1500 description the most, be cause it seems to be the only issue although without a poc to fully describe all of the possible impacts

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!