Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Asset listing further exceeds `maxAssetCount` in `list()` after market-parameter update

tigerfrake

Summary

In the list() function, which adds assets for a buyer during a specific round, the function checks whether the asset count equals the maximum asset count (maxAssetCount) before allowing new listings. However, when a new _marketParameters is added via setMarketParameters(), this value immediately applies as the current limit.

If the new limit is lower than the current number of listed assets, the equality-based check fails to catch it, allowing listings to further exceed the limit.

Vulnerability Details

The list() function checks if the number of assets listed by a buyer during a round meets the maxAssetCount limit by comparing it with the current count using an == condition:

>> if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {
revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);
}

When a new _marketParameters with a lower maxAssetCount is pushed to the marketParameters array using setMarketParameters(), it takes effect immediately as the “current” parameter:

function setMarketParameters(SwanMarketParameters memory _marketParameters) external onlyOwner {
require(_marketParameters.platformFee <= 100, "Platform fee cannot exceed 100%");
_marketParameters.timestamp = block.timestamp;
>> marketParameters.push(_marketParameters);
}

If the current number of assets already exceeds the newly set maxAssetCount, the equality check (==) fails to detect this, allowing further listings even though the limit should have already been met.

This is because getCurrentMarketParameters() points to the last element in the array.

function getCurrentMarketParameters() public view returns (SwanMarketParameters memory) {
>> return marketParameters[marketParameters.length - 1];
}

Scenario:

  • Alice lists 3 assets during Round 1 when maxAssetCount is set to 5.

  • Owner later calls setMarketParameters() and pushes a new market parameter with maxAssetCount equal to 2 within the same round.

  • Since Alice already listed three assets (more than the new limit of 2), any new attempt by her to list assets should be blocked. However, the equality check fails to catch this, allowing her to list more assets despite exceeding the new limit.

Impact

This undermines the enforcement of maxAssetCount, potentially allowing sellers to further exceed asset limits intended.

Tools Used

Manual Review

Recommendations

Use (>=) condition to enforce maxAssetCount strictly:

- if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {
+ if (assetsPerBuyerRound[_buyer][round].length >= getCurrentMarketParameters().maxAssetCount) {
revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[INVALID] List unlimited items

SwanManager::setMarketParameters pushes the new parameters `marketParameters.push(_marketParameters);` After that, when user calls list the protocol computes the round and the phase `(uint256 round, BuyerAgent.Phase phase,) = buyer.getRoundPhase();` Inside the getRoundPhase function you have this if statement on top: `if (marketParams.length == marketParameterIdx + 1) {`. The setMarketParameters call changed the `marketParams` length, thing which will case the first case to be false and run the else statement. At the end of that statement we see there is a new round. So the second element of this check `(getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length` is zero, because the [round] is fresh.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.