Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can change any trader referrer's info and cause traders to lose their authoritybonus

turvec

Summary

Anyone can change any trader referrer's info and cause traders to lose their authoritybonus

Vulnerability Details

The protocol allows traders to have a referral bonus from the protocol fee which the total bonus can be split between referrerRate and authorityRate in that referrerRate + authorityRate = totalRate, although referrerRate will always be > authorityRate, the authorityRate can still be assign up to referralExtraRate. The user setting their rates is done in SystemConfig:updateReferrerInfo():

function updateReferrerInfo(
address _referrer,
uint256 _referrerRate,
uint256 _authorityRate
) external {
if (_msgSender() == _referrer) {
revert InvalidReferrer(_referrer);
}
...
ReferralInfo storage referralInfo = referralInfoMap[_referrer]; <@
referralInfo.referrer = _referrer;
referralInfo.referrerRate = _referrerRate;
referralInfo.authorityRate = _authorityRate;
emit UpdateReferrerInfo(
msg.sender,
_referrer,
_referrerRate,
_authorityRate
);
}

The issue here is that it doesn't update the info of the person caller the function(the _msgSender()) instead it updates the info of whoever's address was specified allowing an attacker to manipulate the rate of any trader.

Let's consider this for total rate of 100%:

  • An exchange firm sets their referrerRate to 70% and authorityRate which they will receive to 30%

  • Someone sees this and becomes the referrer but changes referrerRate for himself to 100% and authorityRate to 0% before trades execute without the firm permission

  • Trades execute and the firm losses their authority bonus

Impact

Attacker cause traders to lose their authoritybonus

Tools Used

Recommendations

fix:

function updateReferrerInfo(
address _referrer,
uint256 _referrerRate,
uint256 _authorityRate
) external {
if (_msgSender() == _referrer) {
revert InvalidReferrer(_referrer);
}
...
- ReferralInfo storage referralInfo = referralInfoMap[_referrer];
+ ReferralInfo storage referralInfo = referralInfoMap[_msgSender()];
referralInfo.referrer = _referrer;
referralInfo.referrerRate = _referrerRate;
referralInfo.authorityRate = _authorityRate;
emit UpdateReferrerInfo(
msg.sender,
_referrer,
_referrerRate,
_authorityRate
);
}
Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-SystemConfig-updateReferrerInfo-msgSender

Valid high severity. There are two impacts here due to the wrong setting of the `refferalInfoMap` mapping. 1. Wrong refferal info is always set, so the refferal will always be delegated to the refferer address instead of the caller 2. Anybody can arbitrarily change the referrer and referrer rate of any user, resulting in gaming of the refferal system I prefer #1500 description the most, be cause it seems to be the only issue although without a poc to fully describe all of the possible impacts

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.