Swan.sol list function DOS by filling up assetsPerBuyerRound
Summary
The Swan contract's list() function allows anyone to create listings for any buyer without permission, enabling a DOS attack where an attacker can fill up a buyer's asset quota with fake listings, preventing legitimate sellers from listing assets for that buyer during the same round.
Vulnerability Details
function list(string calldata _name, string calldata _symbol, bytes calldata _desc, uint256 _price, address _buyer)
external
{
BuyerAgent buyer = BuyerAgent(_buyer);
(uint256 round, BuyerAgent.Phase phase,) = buyer.getRoundPhase();
// buyer must be in the sell phase
if (phase != BuyerAgent.Phase.Sell) {
revert BuyerAgent.InvalidPhase(phase, BuyerAgent.Phase.Sell);
}
// asset count must not exceed `maxAssetCount`
if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {
revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);
}
We can see that whenever list is called we can push the asset to the buyer's array, with or without their permission
assetsPerBuyerRound[_buyer][round].push(asset);
This means that a DOS can be acieved by creating some bogus or fake listings, and when a real listing( or someone intends to actually sell to said buyer), they will not be able to do so due to this revert:
revert BuyerAgent.InvalidPhase(phase, BuyerAgent.Phase.Sell);
Impact
Sellers cannot sell to that user and for that buyer his listings can be filled with bogus or fake listings that will not benefit him.
Tools Used
Code review
Recommendations
Maybe on buyer side implement acceptance, as in buyer has to accept the listing.
Lead Judging Commences
DOS the buyer / Lack of minimal amount of listing price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.