Open redzsina opened 3 years ago
Thank you for this, just to clarify:
The way it becomes free is that the referrer is another member under the control of the user?
That is correct.
By free, you here mean, without a cut to the platform? Not unconstrained in the sense of cost-less, because there is a transaction fee which still applies?
That is right, since transaction fees apply, this way of gaining membership will still incur costs.
If so, since the transaction fee is presumably set to deter denial of service risks, the main problem we are concerned with is a parasitic member printing and reselling memberships to third parties at below market rate, so to speak?
Yes, we consider this as the main problem - we agree that this issue would still remain if the referral cut was less than the membership price, but the incentive would depend on the ratio between the referral cut, membership fee and transaction fee.
Related handbook PR: https://github.com/Joystream/handbook/pull/31
Summary
In the membership pallet, a
referral_cut
value can be configured that determines a referral bonus to incentivize inviting new members for existing members. The special case when thereferral_cut
==membership_fee
enables any user to create unlimited new membership accounts for free. Since both thereferral_cut
andmembership_fee
values can be configured via root calls/proposals, we consider this as an information-level issue. As a defensive programming practice, we recommend to ensure that the referral cut is aways less than the membership fee.Issue details
In the membership pallet, a
referral_cut
value can be configured that determines a referral bonus to incentivize inviting new members for existing members. The referral bonus is calculated in the following way:The referral bonus is the minimum of
membership_fee
andreferral_cut
. If these two values are equal, one could create infinite new accounts for free (create account a, create account b, refer account a -> a's registration was waived, etc).Risk
If
referral_cut
==membership_fee
, it enables any user to create unlimited new membership accounts for free. Since both of these values can be configured via root calls (set_referral_cut
and hereset_membership_price
), we consider the risk of this very low.Mitigation
We recommend to enforce that
referral_cut
<membership_fee
always holds, either by providing guidelines for setting these values in a sensible way, or ensuring this relation programmatically.