Overwriting existing custom referral codes is possible in Referral::createCustomReferralCode
Summary
The createCustomReferralCode function in the Referral contract allows registered engines to create custom referral codes. However, there is no validation to prevent an existing custom referral code from being overwritten. This allows an attacker to replace the referrer for an existing code, redirecting referral rewards to unauthorized addresses.
Vulnerability Details
The function does not check if
customReferralCodeis already assigned.A malicious actor can overwrite an existing referral code and replace the referrer.
Attack Scenario
A legitimate referrer creates a custom referral code (e.g.,
"BETA123").An attacker calls
createCustomReferralCode(attackerAddress, "BETA123").The attacker replaces the original referrer, hijacking all future referral rewards.
Impact
Rewards meant for one user can be redirected to an unauthorized address.
Users may lose confidence in the referral system if their rewards are stolen.
Malicious actors can repeatedly overwrite referral codes.
Tools Used
Manual Code Review
Recommendations
Modify the function to check if the referral code already exists before assigning a new referrer:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.