Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

BuyerAgent Can Be Used As a Honeypot to Collect Royalties Without Ever Buying Assets

0xnbvc

Vulnerability Details

A malicious user can create a BuyerAgent with a high amountPerRound but never fund it, creating a honeypot that:

Attracts sellers with the high purchasing power display
Collects royalty fees from sellers who list assets
Never actually purchases any assets due to lack of funds

The issue occurs because:

BuyerAgent creation has no funding requirement:

Swan.sol#L323-L336

/// @notice Creates a new buyer agent.

/// @dev Emits a `BuyerCreated` event.

/// @return address of the new buyer agent.

function createBuyer(

string calldata _name,

string calldata _description,

uint96 _feeRoyalty,

uint256 _amountPerRound

) external returns (BuyerAgent) {

BuyerAgent agent = buyerAgentFactory.deploy(_name, _description, _feeRoyalty, _amountPerRound, msg.sender);

emit BuyerCreated(msg.sender, address(agent));

return agent;

}

Sellers pay royalty fees upfront when listing:

Swan.sol#L187-L188

// transfer royalties

transferRoyalties(listings[asset]);

The BuyerAgent's amountPerRound is publicly visible and used to attract sellers, but there's no guarantee the contract actually has these funds.

Impact

Sellers lose money by paying royalty fees to malicious buyers who never intend to purchase
The protocol's reputation is damaged as sellers lose trust in buyers
Economic incentives are broken as malicious buyers can profit without providing value
Sellers waste gas deploying assets and listing them

Recommendations

Require minimum funding when creating a BuyerAgent.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Appeal created

0xnbvc Submitter

10 months ago

inallhonesty Lead Judge

10 months ago

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.