Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Unauthorized manipulation of referral rates in `SystemConfig::updateReferrerInfo` allows for increased fee allocation

irondevx

Summary

SystemConfig::updateReferrerInfo allows any address (except the referrer) to update referral rates. While there are safeguards to ensure the referrer's rate doesn't fall below the base rate, this still allows anyone else to potentially manipulate of fee distribution.

SystemConfig.sol#L46-L48

// src/core/SystemConfig.sol

function updateReferrerInfo(address _referrer, uint256 _referrerRate, uint256 _authorityRate) external {

@> if (_msgSender() == _referrer) {

revert InvalidReferrer(_referrer);

}

// rest of the function...

}

Impact

An attacker could set up a separate account to update their own referral rates, potentially allocating up to 70% of the referral fees to themselves as the "authority". This could lead to unfair distribution of referral fees.

Proof of Concept

Let's introduce Alice (attacker) and Bob (maker/offer owner) to the attack scenario.

Before Bob settles an offer, Alice could her referral fee to 100% and get all of the fees for herself whenever Premarkets::_updateReferralBonus executes.

Tools Used

Manual review

Recommended Mitigation Steps

While there's an argument that this will be resolved by enforcing access control on the client, there's no clear way to resolve the issue on the smart contract itself. Here are some ideas though:

Enforce a maximum referrer rate (e.g., 70% of total rate) to ensure some fees always go to the authority or protocol.
Implement access control on the updateReferrerInfo function, allowing only authorized addresses (e.g., admin or governance) to update referral rates.
Consider implementing a timelock or a cooldown period for rate changes to prevent rapid manipulations and so that the offer maker could react to fee updates and inform authorized bodies of the update.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-SystemConfig-updateReferrerInfo-msgSender

Valid high severity. There are two impacts here due to the wrong setting of the `refferalInfoMap` mapping. 1. Wrong refferal info is always set, so the refferal will always be delegated to the refferer address instead of the caller 2. Anybody can arbitrarily change the referrer and referrer rate of any user, resulting in gaming of the refferal system I prefer #1500 description the most, be cause it seems to be the only issue although without a poc to fully describe all of the possible impacts

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!