Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Asset Manipulation Through Round & Phase Exploitation

aariiif

Summary

Swan protocol's listing mechanism allows malicious actors to manipulate asset listings through unvalidated buyer addresses and round/phase exploitation. An attacker can create artificial market conditions by exploiting the round-based validation system, potentially leading to unauthorized asset control and market price manipulation.

The function accepts any address as _buyer without validating if it's a legitimate BuyerAgent
There's no check if the buyer address exists or is active before casting to BuyerAgent
The contract assumes the buyer is valid just by attempting to call getRoundPhase()

Vulnerability Details

The core vulnerability exists in the listing logic where buyer validation and round management are insufficiently protected: https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/Swan.sol#L157-L191

function list(string calldata _name, string calldata _symbol, bytes calldata _desc, uint256 _price, address _buyer)

external

{

// @Issue - Direct casting without existence/validity check enables fake buyer contracts

BuyerAgent buyer = BuyerAgent(_buyer);

// @Issue - Round/phase can be manipulated by malicious buyer contract

(uint256 round, BuyerAgent.Phase phase,) = buyer.getRoundPhase();

// @Issue - Race condition between check and listing creation

if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {

revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);

}

// @Issue - No validation of price manipulation through round transitions

listings[asset] = AssetListing({

price: _price,

round: round,

// ...other fields

});

}

Impact

Market manipulation through artificial round progression
Unauthorized asset listings through fake buyer contracts
Price manipulation across rounds

Recommendations

Implement a buyer registry with proper validation
Add round progression controls
Implement price validation across rounds
Add atomic operation support for listing creation

Updates

Lead Judging Commences

inallhonesty Lead Judge

12 months ago

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.