code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/ReferralSystem.sol#L52-L72

Vulnerability details

Impact

Referrer can be referree, which is not aligned with the intention of the referral program and allows referrer to get unintended referreral awards - essentially stealing from the rewards pool.

Proof of Concept

Function referralRegisterTickets only checks that the referrer is != address(0). It does not check that referrer is != referee. Hence, attackers can 'refer' themselves and get the referral rewards.

File:  2023-03-wenwin/src/ReferralSystem.sol (L52 - 72) 
 function referralRegisterTickets(
        uint128 currentDraw,
        address referrer,
        address player,
        uint256 numberOfTickets
    )
        internal
    {
        if (referrer != address(0)) {
            uint256 minimumEligible = minimumEligibleReferrals[currentDraw];
            if (unclaimedTickets[currentDraw][referrer].referrerTicketCount + numberOfTickets >= minimumEligible) {
                if (unclaimedTickets[currentDraw][referrer].referrerTicketCount < minimumEligible) {
                    totalTicketsForReferrersPerDraw[currentDraw] +=
                        unclaimedTickets[currentDraw][referrer].referrerTicketCount;
                }
                totalTicketsForReferrersPerDraw[currentDraw] += numberOfTickets;
            }
            unclaimedTickets[currentDraw][referrer].referrerTicketCount += uint128(numberOfTickets);
        }
        unclaimedTickets[currentDraw][player].playerTicketCount += uint128(numberOfTickets);
    }

Tools Used

Manual review.

Recommended Mitigation Steps

Include a check that referrer is != referee.

c4-judge commented 1 year ago

thereksfour marked the issue as duplicate of #483