Consider the function Swan::list
and Swan::transferRoyalties
.
Note that the list function has a limit on the number of created listings within this round - maxAssetCount
.
However, note that there is no check on the minimum _price value. Let's consider the minimum possible value - _price = 0.
At this value, the commission that the user will pay for creating a listing will obviously also be 0. This means that creating such a listing will cost the user only in payment of network commissions. Knowing that the main network of the protocol will be Base, this value is very small.
Thus, an attacker can in a single transaction take all the listings in the current round, blocking the basic functionality of the protocol for honest users.
Given that the cost of such an attack is extremely small, the attacker can do this every round and for every buyer - because the start date of a new round is a predictable value.
The only difficulty for an attacker in carrying out this attack is that each listing has to be created from a new address.
However, this is very easy to get around, you just need to create many new contracts, each of which will call list in the constructor.
Thus the attack is really easy to perform in a single transaction.
We have the ability to block anyone from working for 1 round.
Malicious behaviour can be repeated every round.
So this is a very cheap way to intentionally DoS the protocol functionality for Buyer, or just a griefing attack.
likelihood: High
Impact: High
Severity: High
Manual Review
Add minimal amount check for _price. Note that simply checking that _price != 0 is not enough, because when _price = 1 the user's commission will also be 0 due to rounding down when dividing.
Add a check _price >= 1e18 (for example) (for ERC20 with 18 Decimals)
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.