Description

The function setCodeOwner allows an account that owns a referral code to transfer that code to another account:

function setCodeOwner(bytes32 _code, address _newAccount) external {
    require(_code != bytes32(0), "ReferralStorage: invalid _code");

    address account = codeOwners[_code];
    require(msg.sender == account, "ReferralStorage: forbidden");

    codeOwners[_code] = _newAccount;

    delete codes[account];
    codes[_newAccount] = _code;

    emit SetCodeOwner(msg.sender, _newAccount, _code);
}

However, _newAccount may already have a code or may not want to receive the code.

Additionally, the transfer process does not update the referrer tier of the sender or recipient, so if the recipient did not have a code, they will stay at tier zero due to the uninitialized field rather than being set to tier one. And either way, the sender will keep their tier, despite having given away the code, until they register another code.

Impact

Anyone can overwrite anyone else's referrer code in the codes mapping to their own referrer code.

Also, tiers and referral codes will become out of sync upon a transfer.

Recommendations

Rework the code-transfer process to include a step where the recipient affirms the transfer before it actually takes place. Also, have the code-transfer process transfer the tier or associate tiers with referrer accounts instead of codes.

Remediation

This issue has been acknowledged by Avantis Labs, Inc., and fixes were implemented in the following commits:

• 0524a688↗
• 73c26d9a↗