Dria

Summary

The BuyerAgent contract interacts with the Swan protocol to manage the lifecycle of asset purchasing through phases: Sell, Buy, and Withdraw. One of the core functions, oracleStateRequest, allows authorized users to request state updates via an oracle. The recommendation is to add a condition that ensures the request is only made if the buyer has assets for the given round. This report analyzes the impact of this modification and provides recommendations.

Vulnerability Details

The current implementation of the oracleStateRequest function does not verify whether the buyer has any assets for the specified round before making a request to the oracle. This could result in unnecessary oracle requests, leading to wasted resources (such as gas fees) and an unnecessary load on the system.

Impact

• Unnecessary Oracle Requests: The oracleStateRequest function could call the oracle without verifying that the buyer holds assets for the round. This could result in wasted gas fees and redundant oracle processing, especially in rounds where no assets were purchased by the buyer.

Tools Used

Recommendations

1. Implement Asset Check: As described, add the condition to ensure oracle requests are only made when the buyer holds assets in the given round.

2. Thorough Testing: After implementing the check, it is important to thoroughly test the contract to ensure that:

   • Oracle requests are only made when there are assets.

   • The contract reverts correctly when no assets are available.

The recommended modification introduces a check on the assets held by the buyer in the current round before making a state update request via the oracle. Specifically, the following condition should be added:

This ensures that the oracle is only queried when there are assets for the buyer in the current round, improving efficiency and reducing unnecessary state update requests.