search

Joystream / audits

Repo for organizing & collaborating on audits.
2 stars 0 forks source link

Missing checks on the `referral_cut` value could enable creating unlimited membership accounts for free #2

Open redzsina opened 3 years ago

redzsina commented 3 years ago

Summary

In the membership pallet, a referral_cut value can be configured that determines a referral bonus to incentivize inviting new members for existing members. The special case when the referral_cut == membership_fee enables any user to create unlimited new membership accounts for free. Since both the referral_cut and membership_fee values can be configured via root calls/proposals, we consider this as an information-level issue. As a defensive programming practice, we recommend to ensure that the referral cut is aways less than the membership fee.

Issue details

In the membership pallet, a referral_cut value can be configured that determines a referral bonus to incentivize inviting new members for existing members. The referral bonus is calculated in the following way:

    // Calculate current referral bonus. It minimum between membership fee and referral cut.
    pub(crate) fn get_referral_bonus() -> BalanceOf<T> {
        let membership_fee = Self::membership_price();
        let referral_cut = Self::referral_cut();

        membership_fee.min(referral_cut)
    }

The referral bonus is the minimum of membership_fee and referral_cut. If these two values are equal, one could create infinite new accounts for free (create account a, create account b, refer account a -> a's registration was waived, etc).

Risk

If referral_cut == membership_fee, it enables any user to create unlimited new membership accounts for free. Since both of these values can be configured via root calls (set_referral_cut and here set_membership_price), we consider the risk of this very low.

Mitigation

We recommend to enforce that referral_cut < membership_fee always holds, either by providing guidelines for setting these values in a sensible way, or ensuring this relation programmatically.

bedeho commented 3 years ago

Thank you for this, just to clarify:

  1. The way it becomes free is that the referrer is another member under the control of the user?
  2. By free, you here mean, without a cut to the platform? Not unconstrained in the sense of cost-less, because there is a transaction fee which still applies? If so, since the transaction fee is presumably set to deter denial of service risks, the main problem we are concerned with is a parasitic member printing and reselling memberships to third parties at below market rate, so to speak? If so, I suppose that would still be an issue even if the cut was less than the full membership fee.
redzsina commented 3 years ago

The way it becomes free is that the referrer is another member under the control of the user?

That is correct.

By free, you here mean, without a cut to the platform? Not unconstrained in the sense of cost-less, because there is a transaction fee which still applies?

That is right, since transaction fees apply, this way of gaining membership will still incur costs.

If so, since the transaction fee is presumably set to deter denial of service risks, the main problem we are concerned with is a parasitic member printing and reselling memberships to third parties at below market rate, so to speak?

Yes, we consider this as the main problem - we agree that this issue would still remain if the referral cut was less than the membership price, but the incentive would depend on the ratio between the referral cut, membership fee and transaction fee.

shamil-gadelshin commented 3 years ago

Related handbook PR: https://github.com/Joystream/handbook/pull/31