Part 2

Summary

The registerReferral function in Referral.sol has multiple vulnerabilities related to referral code validation.

Vulnerability Details

The function converts referralCode to a string without checking its length

• If referralCode is excessively long, it could lead to high gas consumption or unintended behavior.

• Malicious users could submit large bytes input, potentially causing storage issues.

When isCustomReferralCode is false, the function assumes referralCode contains a valid address and directly decodes it

• If referralCode is malformed (e.g., incorrect length), abi.decode may revert, leading to unexpected contract behavior.

• One can exploit this by providing manipulated referralCode inputs.

The function only checks if referralCode.length != 0 but does not prevent empty strings:

• An empty string ("") could be stored as a valid referral code, causing inconsistencies in the referral tracking system.

• It allows users to bypass intended validation checks.

Impact

• Attackers or users could exploit these issues to register invalid or arbitrary referral codes.

Tools Used

• Manual Code Review

Recommendations

• Validate referralCode length before converting to string

  if (referralCode.length > MAX_REFERRAL_CODE_LENGTH) {

  revert InvalidReferralCode();

  }

• Ensure referralCode is exactly 20 bytes before decoding to address

  if (!isCustomReferralCode) {

  if (referralCode.length != 20) {

  revert InvalidReferralCode();

  }

  address decodedAddress = abi.decode(referralCode, (address));

  if (referrerAddress == decodedAddress) {

  revert InvalidReferralCode();

  }

  }

• Disallow empty strings as custom referral codes

  if (isCustomReferralCode && referralCode.length == 0) {

  revert InvalidReferralCode();

  }

  ``