search

code-423n4 / 2022-12-tigris-findings

8 stars 4 forks source link

[NAZ-M10] Deprecated Function Should Be Removed #603

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Referrals.sol#L58

Vulnerability details

Impact

In the natspec of the function initRefs() it clearly states "@notice deprecated" if this is truly the case it should be removed so that it cannot be misused in such a way to overwrite users referral hashes.

Proof of Concept

  1. Alice sets up her referral code and gives it to her friend Bob who has a large position size. He can now save 10% on closing fees and Alice can get her earnings on position size.
  2. Mallory sees that initRefs() was never called and that Bob has a pretty large position size.
  3. Mallory calls initRefs() to overwrite Alice's referral code but with her address as the _codeOwner.
  4. Bob goes to close out a trade and what was meant to be Alice's earnings on his position size is now Mallory's.

Tools Used

Manual Review

Recommended Mitigation Steps

Consider removing the function completely so it is not to be accidentally used or misused.

TriHaz commented 1 year ago

Definitely not med risk, would downgrade it to QA.

c4-sponsor commented 1 year ago

TriHaz marked the issue as sponsor acknowledged

c4-sponsor commented 1 year ago

TriHaz marked the issue as disagree with severity

GalloDaSballo commented 1 year ago

R

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2022-12-tigris-findings/issues/572