Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rational actors will just set themselves as referral #108

Open
code423n4 opened this issue Jul 7, 2021 · 2 comments
Open

Rational actors will just set themselves as referral #108

code423n4 opened this issue Jul 7, 2021 · 2 comments
Labels
1 (Low Risk) bug Something isn't working disagree with severity sponsor disputed

Comments

@code423n4
Copy link
Contributor

Handle

cmichel

Vulnerability details

Vulnerability Details

When depositing, a referral can be chosen and the only check is:

account != address(0) && referral != address(0) && referrals[account] == address(0)

One can refer themselves

Impact

(From the contracts that are part of this repo, it's not immediately clear what the referrals are used for.)
If they are used for anything, rational actors will always refer themselves to maximize profits making the referral system useless.

Recommended Mitigation Steps

Whitelist big influencers that are allowed to be used as referrals to avoid everyone referring themselves or another account they control.
@code423n4 code423n4 added 2 (Med Risk) bug Something isn't working labels Jul 7, 2021
code423n4 added a commit that referenced this issue Jul 7, 2021
@code423n4
cmichel issue #108
52b2c07
@kitty-the-kat
Copy link
Collaborator

kitty-the-kat commented Jul 14, 2021
edited
Loading

not an issue/non-critical
Makes no difference, referrals are calculated offchain and not used for anything on chain

@ghoul-sol
Copy link
Collaborator

Even if this is calculated off-chain, technically being able to refer ourselves is an issue. Even offchain this needs to be filtered out which is extra work. I'm keeping this as low risk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1 (Low Risk) bug Something isn't working disagree with severity sponsor disputed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kitty-the-kat @ghoul-sol @code423n4