Dria

Swan
NFTHardhat
21,000 USDC
View results
Submission Details
Severity: medium
Valid

DOS Vulnerability through Zero-Price Asset Listings in Swan

Summary

The list function in swan contract allows users to create and list assets with specific buyers. However, the function currently lacks sufficient checks on the price parameter, allowing for potential abuse. Malicious users could create assets with a zero price, bypassing fees and filling up a buyer's asset limit for a given round, effectively preventing legitimate listings.

Vulnerability Details

The primary vulnerability arises from the unchecked price parameter, which allows users to create assets with a price of zero. By doing this, the contract logic permits listings without paying any fees to the buyer or the platform. A malicious user could exploit this by creating numerous zero-price assets, filling up the allowed maxAssetCount limit per buyer per round.

// asset count must not exceed `maxAssetCount`
if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {
revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);
}
// add this to list of listings for the buyer for this round
assetsPerBuyerRound[_buyer][round].push(asset);

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/Swan.sol#L185

Since the listing fee is calculated based on the asset price, contract logic allows users to list asset without paying any fee if price is zero.

/// @notice Function to transfer the royalties to the seller & Dria.
function transferRoyalties(AssetListing storage asset) internal {
// calculate fees
uint256 buyerFee = (asset.price * asset.royaltyFee) / 100;
uint256 driaFee = (buyerFee * getCurrentMarketParameters().platformFee) / 100;

This denial-of-service (DoS) attack could effectively prevent legitimate users from listing their assets with the same buyer within that round. A malicious user could use this exploit to fill only their legitimate listings to prevent competition.

Impact

A single malicious user could prevent legitimate users from listing assets for a particular buyer by filling up the asset limit with zero-price listings.

Tools Used

Manual

Recommendations

Set a minimum non-zero value for the price parameter to prevent zero-price asset listings. This will ensure that fees are always paid and discourage spam listings.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

DOS the buyer / Lack of minimal amount of listing price

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.