Dria

Vulnerability Details

A malicious seller can grief buyers by frontrunning their purchase() calls with relist(), while avoiding protocol fees through the rounding error vulnerability (cf issue "Fee Calculations Can Be Exploited to Avoid Protocol Fees Due to Rounding Errors").

The attack works as follows:

1. Seller lists an asset with carefully chosen price to avoid paying royalty fees due to the rounding error explained in the issues cited above: Swan.sol#L151-L191.

2. Buyer spends money on oracle fees with BuyerAgent.oraclePurchaseRequest() -> LLMOracleCoordinator.request(): LLMOracleCoordinator.sol#L142-L195

3. Buyer enters the Buy Phase and calls purchase() to purchase the listed item: BuyerAgent.sol#L218-L256

4. Seller frontruns the buyer's purchase() call with relist() to relist to another buyer in Sell Phase and so on: Swan.sol#L193-L255

Impact

1. Buyers lose money spent on oracle fees

2. Protocol loses fees twice:

   • No royalty fees collected due to rounding exploit

   • Oracle fees are wasted on griefed transactions

3. Attack can be repeated at very low cost to the attacker (only gas cost, which are very low on Base)

Recommendations

Add a check to ensure actual buyer of the listed asset has passed the Buy Phase to avoid frontrunning opportunity of purchase() call.