Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Unconstrained Buyer Agent Creation Enables Economic Attacks

aariiif

Summary

The createBuyer function in Swan.sol allows creation of buyer agents with unconstrained parameters for spending limits and royalty fees. This enables creation of economically invalid buyers that can disrupt protocol operations and manipulate market dynamics through fee exploitation.

Vulnerability Details

Specifically in the createBuyer function of Swan.sol: https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/Swan.sol#L326-L336

function createBuyer(

string calldata _name,

string calldata _description,

uint96 _feeRoyalty,

uint256 _amountPerRound

) external returns (BuyerAgent) {

// @Issue - Missing validation on _amountPerRound allows creation of buyers with zero spending limit

// @Issue - No minimum threshold check on _amountPerRound relative to oracle fees

// @Issue - _feeRoyalty lacks upper bound validation, allowing fees > 100%

BuyerAgent agent = buyerAgentFactory.deploy(_name, _description, _feeRoyalty, _amountPerRound, msg.sender);

emit BuyerCreated(msg.sender, address(agent));

return agent;

}

The Problem:

The function lacks validation on the _feeRoyalty parameter
Unlike other parts of the contract where fees are checked (e.g., platformFee <= 100), buyer royalty fees aren't validated
This could allow creation of buyer agents with invalid royalty fees

PoC:

// Can create a buyer with fee > 100%

await swan.createBuyer("Test", "Test Desc", 101, ethers.utils.parseEther("1"))

For the protocol this is a problem because:

Zero spending limit buyers can be created, which would be unable to participate in purchases but still consume protocol resources
If _amountPerRound is set below required oracle fees, the buyer agent would be created but unable to execute any purchases due to insufficient funds for oracle operations
Uncapped royalty fees could lead to:
- Excessive fee extraction from trades
- Broken economics when fees exceed 100%
- Potential overflow in fee calculations during purchase operations

The lack of these validations allows creation of buyer agents that can disrupt protocol operations or create economically invalid scenarios. This impacts both protocol stability and user experience.

Impact

Economic manipulation through excessive fee extraction
Creation of non-viable buyers that cannot cover oracle costs

Recommendations

Add parameter validation to ensure:

Royalty fees are capped at 100%
Spending limits cover minimum oracle operation costs
Economic viability checks for new buyers

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.