Who Am I: 0xMo7areb โ€” a bug hunter and Penenteration Tester :)

follow me: x account || linkedin account

ุงู„ุญู…ุฏ ู„ู„ู‡ ุงู„ุฐูŠ ุนูŽู„ูŽู‘ู…ูŽ ุจุงู„ู‚ู„ู….. ุนูŽู„ูŽู‘ู…ูŽ ุงู„ุฅู†ุณุงู†ูŽ ู…ุง ู„ู… ูŠูŽุนู’ู„ูŽู… ูˆุงู„ุตู„ุงุฉู ูˆุงู„ุณู„ุงู…ู ุนู„ู‰ ุฎูŠุฑู ู…ูุนูŽู„ูู‘ู…ูŠ ุงู„ู†ุงุณู ุงู„ุฎูŠุฑ ู…ุญู…ุฏ ุฃู…ุง ุจุนุฏ

None
ุนู† ุฌุงุจุฑ ุฑุถูŠ ุงู„ู„ู‡ ุนู†ู‡ ู‚ุงู„: ุณู…ุนุช ุฑุณูˆู„ ุงู„ู„ู‡ ุตู„ู‰ ุงู„ู„ู‡ ุนู„ูŠู‡ ูˆุณู„ู… ูŠู‚ูˆู„: (ุฅู† ุจูŠู† ุงู„ุฑุฌู„ ูˆุจูŠู† ุงู„ุดุฑูƒ ูˆุงู„ูƒูุฑ ุชุฑูƒ ุงู„ุตู„ุงุฉ) ุฑูˆุงู‡ ู…ุณู„ู…

read this writeup first on the same application with the same features : https://medium.com/@0xMo7areb/a-critical-referral-logic-flaw-enabling-unlimited-financial-exposure-44dd753e0269

Let's Go To Today's Bug

A critical gap exists in the platform's referral system: when users delete their accounts, their referral codes remain active. This allows new users to redeem codes from deleted accounts, receiving rewards even though the original account no longer exists. The system does not properly tie referral codes to active accounts, creating a logic-based financial loophole.

The Referral Code That Didn't Die

Every user in the platform receives a unique referral code.

When someone signs up using that code:

  • The referrer earns 100 CHF.
  • The new user earns 100 CHF.

Simple growth engine. Clear incentive model.

But there was a flaw.

When a user deletes their account, the referral code linked to that account remains active. The profile is gone โ€” the code is not.

That means:

  1. A user creates an account and gets a referral code.
  2. The user deletes the account.
  3. A new account redeems the old code.
  4. The system still grants 100 CHF to the new user.

The reward is issued even though the original account no longer exists.

No hacking required. Just logic.

Impact

This flaw can lead to:

  • Financial loss: Rewards are granted without legitimate referrers.
  • Abuse of referral system: Orphaned codes can be used repeatedly.
  • Trust issues: Users may lose confidence in the fairness of the rewards program.
  • Weak lifecycle management: Account deletion does not cascade to dependent assets like referral codes.

The Fix

The solution is straightforward:

  • Automatically deactivate referral codes when accounts are deleted.
  • Validate that every referral code maps to an active account before issuing rewards.

If the account is gone, the incentive should be gone too.

Security isn't always about breaking systems. Sometimes it's about closing the gaps they forgot to close.

Triager Answer

None

I hope this write-up gives you a clear understanding of how critical and financially impactful this flaw truly is.

Don't forget to follow me on this medium account :)

"ุณูุจู’ุญูŽุงู†ูŽูƒูŽ ุงู„ู„ู‘ูŽู‡ูู…ู‘ูŽ ูˆูŽุจูุญูŽู…ู’ุฏููƒูŽ ุŒ ุฃูŽุดู’ู‡ูŽุฏู ุฃูŽู†ู’ ู„ุง ุฅูู„ูŽู‡ูŽ ุฅูู„ุง ุฃูŽู†ู’ุชูŽ ุŒ ุฃูŽุณู’ุชูŽุบู’ููุฑููƒูŽ ูˆูŽุฃูŽุชููˆุจู ุฅูู„ูŽูŠู’ูƒูŽ"