Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Overwriting of Custom Referral Codes Due to Missing Uniqueness Check

josh4324

Summary

The createCustomReferralCode function allows registeredEngines to create custom referral codes but does not verify whether the provided code is already being used by another user. This means that If a new user is assigned an existing CustomRerralCode, it will overwrite the current owner of the CustomRerralCode, and the new user will become the new owner and can get any rewards already attached to the CustomRerralCode.

Vulnerability Details

function createCustomReferralCode(
address referrer,
string calldata customReferralCode
)
external
onlyRegisteredEngines
{
@> CustomReferralConfiguration.load(customReferralCode).referrer = referrer;
emit LogCreateCustomReferralCode(referrer, customReferralCode);
}
function load(string memory customReferralCode)
internal
pure
returns (Data storage customReferralConfiguration)
{
bytes32 slot = keccak256(abi.encode(CUSTOM_REFERRAL_CONFIGURATION_LOCATION, customReferralCode));
assembly {
customReferralConfiguration.slot := slot
}
}

The function does not validate whether customReferralCode is already registered in the system.If a customReferralCode already exists, calling this function with the same code will overwrite the existing referrer address, transferring ownership to the new referrer. Any rewards or incentives tied to the original customReferralCode (e.g., accumulated commissions, bonuses) will now redirect to the new owner, effectively stealing value from the original referrer.

Impact

Original referrers lose access to accrued rewards linked to their customReferralCode.

POC

function testWhenCreateCustomReferralCodeIsCalled(
)
external
givenTheSenderIsTheRegisteredEngine
{
//address referrer,
//string memory customReferralCode
string memory customReferralCode = "Custom Code";
bytes memory bytesReferralCode = bytes(customReferralCode);
changePrank({ msgSender: address(perpsEngine) });
// it should emit {LogCreateCustomReferralCode} event
address referralModule = perpsEngine.workaround_getReferralModule();
vm.expectEmit({ emitter: referralModule });
emit Referral.LogCreateCustomReferralCode(users.naruto.account, customReferralCode);
Referral(address(referralModule)).createCustomReferralCode(users.naruto.account, customReferralCode);
// it should the custom referral code and referrer on storage
address referrerReceived = perpsEngine.getCustomReferralCodeReferrer(customReferralCode);
assertEq(referrerReceived, users.naruto.account, "Referrer not set correctly");
Referral(address(referralModule)).createCustomReferralCode(users.sasuke.account, customReferralCode);
address referrerReceived1 = perpsEngine.getCustomReferralCodeReferrer(customReferralCode);
assertEq(referrerReceived1, users.sasuke.account, "Referrer not set correctly");
}

Tools Used

Manual Review

Recommendations

Add a uniqueness check to ensure customReferralCode is not already registered before allowing its creation:

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

josh4324 Submitter
6 months ago
inallhonesty Lead Judge
6 months ago
inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Custom Referral Code Conflict Across Engines

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.