Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Unrestricted Update of Referral Rates in updateReferrerInfo Function

pelz

Summary

The updateReferrerInfo function in the SystemConfig.sol contract allows any user to update the referral rate and authority rate of other users. This flaw can be exploited to tamper with referral rewards calculations, which could impact the protocol's reward distribution system.

Vulnerability Details

The updateReferrerInfo function is intended to update the referral and authority rates for a given referrer. However, the current implementation contains a critical flaw:

  1. Lack of Access Control: The function does not verify whether the caller has the appropriate permissions to update referral rates. As a result, any user can invoke this function to change the referral and authority rates for any other referrer.

  2. Potential Impact: Since the referral and authority rates are used by the protocol to calculate and allocate referral rewards, unauthorized changes can lead to incorrect reward distribution. This can result in financial loss or exploitation of the reward system.

Proof of Concept

The updateReferrerInfo function allows arbitrary updates to the referral and authority rates, as shown below:

function updateReferrerInfo(
address _referrer,
uint256 _referrerRate,
uint256 _authorityRate
) external {
if (_msgSender() == _referrer) {
revert InvalidReferrer(_referrer);
}
if (_referrer == address(0x0)) {
revert Errors.ZeroAddress();
}
if (_referrerRate < baseReferralRate) {
revert InvalidReferrerRate(_referrerRate);
}
uint256 referralExtraRate = referralExtraRateMap[_referrer];
uint256 totalRate = baseReferralRate + referralExtraRate;
if (totalRate > Constants.REFERRAL_RATE_DECIMAL_SCALER) {
revert InvalidTotalRate(totalRate);
}
if (_referrerRate + _authorityRate != totalRate) {
revert InvalidRate(_referrerRate, _authorityRate, totalRate);
}
// @audit can update for any user here
ReferralInfo storage referralInfo = referralInfoMap[_referrer];
referralInfo.referrer = _referrer;
referralInfo.referrerRate = _referrerRate;
referralInfo.authorityRate = _authorityRate;
emit UpdateReferrerInfo(
msg.sender,
_referrer,
_referrerRate,
_authorityRate
);
}

In this implementation, there are no access control mechanisms to prevent unauthorized users from updating referral information.

Impact

  • Unauthorized Changes: Any user can update the referral and authority rates of other users, potentially leading to unauthorized changes in referral rewards.

  • Financial Exploitation: Incorrect reward calculations due to tampered rates can result in financial losses for the protocol and its users.

Tools Used

Manual Review

Recommendations

Implement Access Control: Restrict the updateReferrerInfo function to authorized users only.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-SystemConfig-updateReferrerInfo-msgSender

Valid high severity. There are two impacts here due to the wrong setting of the `refferalInfoMap` mapping. 1. Wrong refferal info is always set, so the refferal will always be delegated to the refferer address instead of the caller 2. Anybody can arbitrarily change the referrer and referrer rate of any user, resulting in gaming of the refferal system I prefer #1500 description the most, be cause it seems to be the only issue although without a poc to fully describe all of the possible impacts

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.