Dria

Summary

Sellers can monopolize a BuyerAgent's assetsPerBuyerRound.

Vulnerability Details

In the Sell phase, sellers can attempt to list assets for purchase to target BuyerAgents.

This function imposes the restriction that a maxAssetCount should be enforced for each BuyerAgent, which sets the upper limit on the number of sales opportunities a BuyerAgent can be presented with:

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/Swan.sol#L167C9-L173C93

Consequently, this means a single user can monopolize a target BuyerAgent's assetsPerBuyerRound, in effect ensuring themselves to be selected by the LLM for a sale.

Monopolized listings could be gamed to include maliciously priced items (such as thosen which drain excess account balances beyond a BuyerAgent's minFundAmount), or even malicious items set to disadvantage the bot's inventory.

Impact

BuyerAgents can be coerced into buying purchasing exclusively from a single actor that pre-emptively monopolises their assetsPerBuyerRound with arrays of exploitative SwanAssets.

Additionally, this can be used as a means to DoS competitors.

Tools Used

Manual Review

Recommendations

1. Remove the limitation (or use an extremely high maxAssetAccount) to eliminate the concept of scarcity.

2. Alternatively, ensure fair competition for assetsPerBuyerRound space through the application of an auction model which prioritizes the BuyerAgent's profit.

3. Enable BuyerAgents to configure a maximum price they are willing to spend on assets for a round to discourage manipulation.