Users able to receive fees of SWAPs

# Users able to receive fees of SWAPs **Vulnerable File**: `ref-exchange/src/simple_pool.rs` **Parameter**: `referral_id` **Function***: swap **Lines**: 310-318 **Impact**: Medium **Short Fix**: Check if the current user is the same as `referral_id` ### Description Hi! During a code review I found a possible vulnerability (I didn't found anything about this in your docs) when users made some interaction with the application that has the `referral_id` parameter. This vulnerability allow users to receive the fees of the transaction, as the functions that receive this parameter don't check if it is the same as the user (or a subaccount of him). ### Technical Description By looking into the [`ref-exchange/src/lib.rs`](https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/lib.rs#L182-L199) contract at lines 182-199, the function `swap` receive the `referral_id` and will pass into the next functions: ![](https://i.imgur.com/MY8WRsf.png) Which in the last one [`internal_pool_swap`](https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/lib.rs#L451-L476) at lines 451-476, the swap will be made: ![](https://i.imgur.com/R4gVfob.png) It's important to mention that in anywhere, the `referral_id` is checked if is the same as the current user. The function that handles the payment of the fee for the `referral_id` can be found in [`ref-exchange/src/simple_pool.rs`](https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/simple_pool.rs#L310-L318) at lines 310-318 ![](https://i.imgur.com/A1nxLTw.png) The line 311-313 can be triggered if the user already deposited LP tokens to the pool. ### Steps to Reproduce Via near-cli 1. Deploy the contract (or use the already deployed) 2. Deposit some LP tokens to the pool (this possible will insert the user in self.shares Map) 3. Call the SWAP function and pass yourself in `referral_id` parameter 4. The fees (4%) will be sent back to your account ### Impact Users can use this vulnerability to receive back part of the fee in any swap transaction ### Possible Fixes It's important to check if the `referral_id` is the same as `env::predecessor_account_id()` or any subaccount of the user.