Submission Details
Severity:
Incorrect logic
## Summary
Incorrect logic in `VaultRouterBranch::deposit`.
## Vulnerability Details
If an EOA calls `VaultRouterBranch::deposit` directly to deposit a given amount of collateral assets into the provided vault
in exchange for index tokens, during this deposition a referral code is registered if the referral code is not custom. During
the referral code registration, an external call is made to `Referral::registerReferral` which is channel through the
interface `IReferral::registerReferral`.
However, the function `Referral::registerReferral` has the modifier check `onlyRegisteredEngines` meaning only registered
engine can call `Referral::registerReferral`. Due to the modifier check the function call to `Referral::registerReferral`
will fail since EOA is not a registered engine.
```javascript
function registerReferral(
bytes calldata referrerCode,
address referrerAddress,
bytes calldata referralCode,
bool isCustomReferralCode
)
external
onlyRegisteredEngines
{
```
## Impact
EOA (`msg.sender`) will not be able to register a refferal code during its first time deposit.
## Recommendations
Add the `onlyRegisteredEngines` modifier check to `VaultRouterBranch::deposit` so that depositing of a given amount of
collateral assets into the provided vault in exchange for index tokens will be channeled through only registered engines
Updates
Prize pool breakdown
Total prize
70,000 USDC
nSLOC
3,25821
USDC / LOC
66,500
3,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.