Anyone can change any trader referrer's info and cause traders to lose their authoritybonus
The protocol allows traders to have a referral bonus from the protocol fee which the total bonus can be split between referrerRate and authorityRate in that referrerRate + authorityRate = totalRate, although referrerRate will always be > authorityRate, the authorityRate can still be assign up to referralExtraRate. The user setting their rates is done in SystemConfig:updateReferrerInfo()
:
The issue here is that it doesn't update the info of the person caller the function(the _msgSender()) instead it updates the info of whoever's address was specified allowing an attacker to manipulate the rate of any trader.
Let's consider this for total rate of 100%:
An exchange firm sets their referrerRate to 70% and authorityRate which they will receive to 30%
Someone sees this and becomes the referrer but changes referrerRate for himself to 100% and authorityRate to 0% before trades execute without the firm permission
Trades execute and the firm losses their authority bonus
Attacker cause traders to lose their authoritybonus
fix:
Valid high severity. There are two impacts here due to the wrong setting of the `refferalInfoMap` mapping. 1. Wrong refferal info is always set, so the refferal will always be delegated to the refferer address instead of the caller 2. Anybody can arbitrarily change the referrer and referrer rate of any user, resulting in gaming of the refferal system I prefer #1500 description the most, be cause it seems to be the only issue although without a poc to fully describe all of the possible impacts
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.