Referral code in bytes should be taken with a high same level of security to avoid being spammed. The use of referral to gain extra points could allow a bunch of scenarios to play out.
Proof of Concept
While we have no access to the implementation of extra points given to referrals, I'll be listing some likely scenarios and how referral can be abused in these scenarios.
extra points for each txn with a specific or bunch of referrals: this could allow sybil, and a spammer could spread a small amount across multiple wallets to initiate a lock or lockEth function txn and gain points across wallets. Depending on the referral implementation, spammers could also attempt multiple txn on same wallet with the same referral to accumulate points unfairly.
single use referral: Attackers could frontrun legitimate users to steal their points by using their referral
referral use attached to receiver address: The lockFor or lockEthFor function could be abused to farm points across multiple wallets with tiny funds
In a nutshell, Farming Sybil could be abused with referral
While the impact of this referral spamming cannot be correctly determined, the likelihood is high.
Tools Used
Manual Review
Recommended Mitigation Steps
Implement hashing of referral string with msg.sender based salt, and on emission in the backend, verifying the hash matches what was generated and awarding points to the correct user.
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L124 https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L133
Vulnerability details
Impact
Referral code in bytes should be taken with a high same level of security to avoid being spammed. The use of referral to gain extra points could allow a bunch of scenarios to play out.
Proof of Concept
While we have no access to the implementation of extra points given to referrals, I'll be listing some likely scenarios and how referral can be abused in these scenarios.
extra points for each txn with a specific or bunch of referrals: this could allow sybil, and a spammer could spread a small amount across multiple wallets to initiate a
lock
orlockEth
function txn and gain points across wallets. Depending on the referral implementation, spammers could also attempt multiple txn on same wallet with the same referral to accumulate points unfairly.single use referral: Attackers could frontrun legitimate users to steal their points by using their referral
referral use attached to receiver address: The
lockFor
orlockEthFor
function could be abused to farm points across multiple wallets with tiny fundsIn a nutshell, Farming Sybil could be abused with referral
While the impact of this referral spamming cannot be correctly determined, the likelihood is high.
Tools Used
Manual Review
Recommended Mitigation Steps
Implement hashing of referral string with msg.sender based salt, and on emission in the backend, verifying the hash matches what was generated and awarding points to the correct user.
Assessed type
Other