New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
one can become referral of hash 0x0 and because all users default referral hash is 0x0 so he would become all users referral by default and earn a lot of fees while users didn't approve it #379
Comments
GalloDaSballo marked the issue as duplicate of #296 |
TriHaz marked the issue as sponsor confirmed |
TriHaz requested judge review |
GalloDaSballo marked the issue as not a duplicate |
Agree with the sponsor, not a duplicate |
Am going to think about this further:
|
if (_referrer != address(0)) {
unchecked {
IStable(_tigAsset).mintFor(
_referrer,
_positionSize
* _fees.referralFees // get referral fee%
/ DIVISION_CONSTANT // divide by 100%
);
}
_fees.daoFees = _fees.daoFees - _fees.referralFees*2;
} |
function getRef(
address _trader
) external view returns(address) {
return referrals.getReferral(referrals.getReferred(_trader));
} |
The Warden has shown how, due to an incorrect assumption, the first claimer to the 0 hash will receive referral fees for all non-referred users. Because the finding creates a negative externality and shows a way to extract value from what would be assumed to be the null value, I believe the finding to be of Medium Severity. I'd recommend the Sponsor to either mitigate or set themselves as the 0 hash recipient as a way to receive default fees |
GalloDaSballo changed the severity to 2 (Med Risk) |
GalloDaSballo marked the issue as selected for report |
Mitigation: code-423n4/2022-12-tigris#2 (comment) |
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Referrals.sol#L20-L24
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/TradingExtension.sol#L148-L152
Vulnerability details
Impact
By default the value of
_referred[user]
is 0x0 for all users and if one set 0x0 as his referral hash then he would become referral for all the users who didn't set referral by default and he would earn a lot of referral funds that users didn't approve it.Proof of Concept
This is
createReferralCode()
code:As you can see attacker can become set 0x0 as his hash referral by calling
createReferralCode(0x0)
and code would set_referral[0x0] = attackerAddress
(attacker needs to be the first one calling this).Then in the
getRef()
code the logic would returnattackerAddress
as referral for all the users who didn't set referral.in the code, getReferred(trader) would return 0x0 because trader didn't set referred and getReferral(0x0) would return attackerAddress.
_handleOpenFees()
and_handleCloseFees()
function in the Trading contract would usegetRef(trader)
and they would transfer referral fee to attackerAddress and attacker would receive fee form a lot of users which didn't set any referral, those users didn't set any referral and didn't approve attacker receiving referral fees from them and because most of the users wouldn't know about this and referral codes so attacker would receive a lot of funds.Tools Used
VIM
Recommended Mitigation Steps
prevent some one from setting 0x0 hash for their referral code.
The text was updated successfully, but these errors were encountered: