search

code-423n4 / 2022-12-tigris-findings

8 stars 4 forks source link

INITREFS() COULD BE USED TO OVERWRITE ALL REFFERAL DATA #660

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Referrals.sol#L60-L76

Vulnerability details

Impact

Although denoted as deprecated, initRefs() is readily there in Referrals.sol that could be called by the owner whose private keys might have been compromised to reassign all the referral data. This could impact the referrers specifically who might have already put in a great effort referring a big pool of traders to Tigris Trade.

Proof of Concept

Referrals.sol#L60-L76

    function initRefs(
        address[] memory _codeOwners,
        bytes32[] memory _ownedCodes,
        address[] memory _referredA,
        bytes32[] memory _referredTo
    ) external onlyOwner {
        require(!isInit);
        isInit = true;
        uint _codeOwnersL = _codeOwners.length;
        uint _referredAL = _referredA.length;
        for (uint i=0; i<_codeOwnersL; i++) {
            _referral[_ownedCodes[i]] = _codeOwners[i];
        }
        for (uint i=0; i<_referredAL; i++) {
            _referred[_referredA[i]] = _referredTo[i];
        }
    }

Note that the compromised or malicious owner might wait for a time when bytes32[] memory _ownedCodes and address[] memory _referredA have grown to big lists since initRefs() could only be called once because of isInit. To fully exploit the call, the owner would limit address[] memory _codeOwners and bytes32[] memory _referredTo all to himself or to addresses and codes under his control.

Recommended Mitigation Steps

It is recommended removing initRefs() and isInit from the contract to make the protocol more in full trust by the users.

GalloDaSballo commented 1 year ago

Can only call it once so I must disagree with this

c4-judge commented 1 year ago

GalloDaSballo marked the issue as unsatisfactory: Invalid