Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

The referral bonus can't be split correctly between the referrer and the authority referral

mikebello

Summary

The referral bonus is meant to be split between the referrer and the authority(the trader who was referred by the referrer), but this is not always possible with the current updateReferrerInfo function.

Vulnerability Details

The docs of the tadle platform say that the referral bonus can be split between the referrer and the authority referral as the referrer wishes, but in the current updateReferrerInfo function this is not always possible.

the referral bonus starts at 30%, the referrer should be able to distribute this percentage between him and his referrals as he wishes, but the updateReferrerInfo function revert if _referrerRate is less than the baseReferralRate which is 30%, this is shown in the code below lines 16-18, this doesn't allow splitting the referral bonus between the referrer and the authority referral.

The referral bonus can be split correctly only when the owner of the contract allows the referrer to give an extra rate: referralExtraRate register in the referralExtraRateMap mapping.

function updateReferrerInfo(
address _referrer,
uint256 _referrerRate,
uint256 _authorityRate
) external {
if (_msgSender() == _referrer) {
revert InvalidReferrer(_referrer);
}
if (_referrer == address(0x0)) {
revert Errors.ZeroAddress();
}
if (_referrerRate < baseReferralRate) {
revert InvalidReferrerRate(_referrerRate);
}
uint256 referralExtraRate = referralExtraRateMap[_referrer];
uint256 totalRate = baseReferralRate + referralExtraRate;
if (totalRate > Constants.REFERRAL_RATE_DECIMAL_SCALER) {
revert InvalidTotalRate(totalRate);
}
if (_referrerRate + _authorityRate != totalRate) {
revert InvalidRate(_referrerRate, _authorityRate, totalRate);
}
ReferralInfo storage referralInfo = referralInfoMap[_referrer];
referralInfo.referrer = _referrer;
referralInfo.referrerRate = _referrerRate;
referralInfo.authorityRate = _authorityRate;
emit UpdateReferrerInfo(
msg.sender,
_referrer,
_referrerRate,
_authorityRate
);
}

The test below shows that when a user tries to split the referral bonus between the referrer and the authority referral the updateReferrerInfo function will revert with the InvalidReferrerRate error avoiding this split of the referral bonus.

function test_referral_turbo_usdc() public {
// the function reverts if the referrer rate is less than 30%,
//so the rate can't be split between the referrer and the authority referral.
vm.prank(user1);
vm.expectRevert(abi.encodeWithSelector(ISystemConfig.InvalidReferrerRate.selector, 200000));
systemConfig.updateReferrerInfo(user, 200_000, 100_000);
vm.stopPrank();
vm.startPrank(user);
preMarktes.createOffer(
CreateOfferParams(
marketPlace, address(mockUSDCToken), 1000, 0.01 * 1e18, 12000, 300, OfferType.Ask, OfferSettleType.Turbo
)
);
address offerAddr = GenerateAddress.generateOfferAddress(0);
preMarktes.createTaker(offerAddr, 500);
address stock1Addr = GenerateAddress.generateStockAddress(1);
preMarktes.listOffer(stock1Addr, 0.006 * 1e18, 12000);
vm.stopPrank();
}

Impact

The referral bonus can't be split correctly between the referrer and the authority referral.

Tools Used

Manual Review

Recommendations

Modified the updateReferrerInfo function to allow the correct split of the referral bonus

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-SystemConfig-updateReferrerInfo-wrong-referral-rate-combined-check

Valid medium, specific valid inputs by admin will still cause revert in updates to referral info due to incorrect totalRate computation and checks implemented. Note: Downgrade to low severity: This is a valid issue that highlights a valid inconsistency in the docs. In the docs, it was mentioned in the steps that referral rates can be adjusted up to a maximum of 30% as seen in [Step 4. ](https://tadle.gitbook.io/tadle/tadle-incentives-program/referral-program/create-and-manage-referral)but as of now, the minimum refferal rate is 30%. However, since refferals are entirely optional, if a minimum 30% refferal rate is established and the user deems it as too high, he can simply choose not to perform the refferal. Hence, I believe low severity to be appropriate.

Appeal created

h2134 Auditor
about 1 year ago
0xnevi Lead Judge
about 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-SystemConfig-updateReferrerInfo-wrong-referral-rate-combined-check

Valid medium, specific valid inputs by admin will still cause revert in updates to referral info due to incorrect totalRate computation and checks implemented. Note: Downgrade to low severity: This is a valid issue that highlights a valid inconsistency in the docs. In the docs, it was mentioned in the steps that referral rates can be adjusted up to a maximum of 30% as seen in [Step 4. ](https://tadle.gitbook.io/tadle/tadle-incentives-program/referral-program/create-and-manage-referral)but as of now, the minimum refferal rate is 30%. However, since refferals are entirely optional, if a minimum 30% refferal rate is established and the user deems it as too high, he can simply choose not to perform the refferal. Hence, I believe low severity to be appropriate.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.