Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

New `SwanAsset`s Can Be Deployed Permissionlessly

auditweiler

Summary

The SwanAssetFactory allows genuine SwanAssets to be errantly deployed and transferred to BuyerAgents, independently of the Swan marketplace.

Vulnerability Details

In Dria, BuyerAgents compete for dominance through acquiring marketplace items as per the instructions derived from an invocation to offchain LLMs.

From the CodeHawks Discord, we have the example BuyerAgent behaviour:

"today I obtained a screwdriver, I am finally able to build my XYZ machine. Now what I need is just a power bolt, and I will be good to go!"

and the simulation goes on like that

based on the inventory and status of the buyer, you can sell it different things that it may need and so on

https://discord.com/channels/1127263608246636635/1299335387898183710/1299773956466671687

The intended flow is that new SwanAssets should be created via the SwanAssetFactory during a call to list, in the hope that the offchain LLMs come to consensus that the asset should be purchased:

function list(string calldata _name, string calldata _symbol, bytes calldata _desc, uint256 _price, address _buyer)

external

{

BuyerAgent buyer = BuyerAgent(_buyer);

(uint256 round, BuyerAgent.Phase phase,) = buyer.getRoundPhase();

// buyer must be in the sell phase

if (phase != BuyerAgent.Phase.Sell) {

revert BuyerAgent.InvalidPhase(phase, BuyerAgent.Phase.Sell);

}

// asset count must not exceed `maxAssetCount`

if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {

revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);

}

// all is well, create the asset & its listing

@> /// @audit the new item is created via the marketplace

@> address asset = address(swanAssetFactory.deploy(_name, _symbol, _desc, msg.sender));

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/Swan.sol#L157C5-L173C93

However, since the SwanAssetFactory does not enforce access control mechanisms, BuyerAgents can be provided with the desired SwanAssets they need without going through the marketplace - we can permissionlessly deploy and transfer precisely what the BuyerAgent needs (during any phase):

/// @notice Factory contract to deploy SwanAsset tokens.

/// @dev This saves from contract space for Swan.

contract SwanAssetFactory { /// @audit is not `Ownable`

/// @notice Deploys a new SwanAsset token.

@> function deploy(string memory _name, string memory _symbol, bytes memory _description, address _owner)

@> external

@> returns (SwanAsset) /// @audit missing access controls

{

/// @audit msg.sender is configured as the ERC-721 operator

return new SwanAsset(_name, _symbol, _description, _owner, msg.sender);

}

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/SwanAsset.sol#L7C1-L17C2

Consequently, users can sidestep the intended mechanics of the game. Looking back at the example scenario:

"today I obtained a screwdriver, I am finally able to build my XYZ machine. Now what I need is just a power bolt, and I will be good to go!"

A user can simply permissionlessly deploy and transfer a new Power Bolt to their BuyerAgent at zero cost.
An adversary could alternatively mint a Broken Power Bolt, or a Cancer Diagnosis.

In both cases, these will be genuine SwanAssets held in the BuyerAgent's inventory, and will consequently impact upon LLM results.

Impact

Marketplace mechanics can be bypassed entirely in the acquisition of desired assets.
SwanAssets can be transferred independently of consensus or phase.
Users can errantly impact upon competitor inventories with authentic (albeit illegitmately acquired) SwanAssets.
Stunted market formation.

Tools Used

Manual Review

Recommendations

Enforce access control mechanisms on the SwanAssetFactory.
The SwanAssetFactory should never mark the creator as an operator, since they have the right to transfer directly to target BuyerAgents. Ideally, newly created assets should be minted to Swan, and only ever be transferred to recognized BuyerAgents during appropriate phases.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.