Missing access control in ```SystemConfig::updateReferrerInfo``` leads to unauthorized updating of the referrer info
Summary
The SystemConfig::updateReferrerInfo allows updating the referrer rate without any access control restrictions. This means any user interacting with the contract can modify the referrer rate, altering the economic incentives within the system.
Vulnerability Details
The absence of access control mechanisms, such as the onlyOwner modifier on the updateReferrerInfo function exposes the contract to unauthorized modifications of critical parameters. This oversight enables any address to call the function and change the referrer rate, bypassing intended governance or administrative controls.
Impact
Malicious actors can exploit this flaw to set referrer rates to their advantage, disrupting the intended economic model of the platform.
Tools Used
Manual review
Recommendations
Implement an access control adding the onlyOwner modifier.
Lead Judging Commences
finding-SystemConfig-updateReferrerInfo-msgSender
Valid high severity. There are two impacts here due to the wrong setting of the `refferalInfoMap` mapping. 1. Wrong refferal info is always set, so the refferal will always be delegated to the refferer address instead of the caller 2. Anybody can arbitrarily change the referrer and referrer rate of any user, resulting in gaming of the refferal system I prefer #1500 description the most, be cause it seems to be the only issue although without a poc to fully describe all of the possible impacts
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.