Dria

Summary

Malicious actor can make many scam BuyerAgentand don’t transfer any fund to it, then withdraw all funds on withdraw phase which is obtained from the honest seller who listed the NFT on him

This can happen because :

1. Malicious owners can freely create as many buyerAgent as they want

2. When creating a buyerAgent, the owner is not required to transfer funds at least as much as the amountPerRound+ protocol fee

Vulnerability Details

Schema

1. Malicious actor make many buyerAgents with various descriptions to absorb the seller market to list on his buyerAgents

2. Honest seller listing swan asset NFT to malicious buyerAgent and buyerAgent receive royaltyFee

3. On the buy phase, purchase can't be done because no fund send to buyerAgent by the owner

4. On the withdraw phase, malicious buyerAgents owner directly withdraw all funds (from royaltyFee) without any restrictions and any initial capital

Note

In the contest README, the root cause for the known issue below is that the buyerAgent owner performed a front-run by calling the oraclePurchaseRequest function

oraclePurchaseRequest and oracleStateRequest is called by either the buyer owner or a Swan operator. It is possible that a malicious buyer owner acts before the Swan operator to make a dummy oraclePurchaseRequest, e.g. the input is "say moo!" and therefore the output contains to assets to be bought at all. That way, it can guarantee that nothing will be bought, and collect fees. It can also set an arbitrary state by doing the same attack on oracleStateRequest with an arbitrary input.

But this function explains a different root cause, namely the owner did not make a deposit to buyerAgent at all so even when the operator calls the oraclePurchaseRequest function, it will always fail (lack of funds to pay the fee) and no purchase is made. Then during the withdraw phase, the owner withdraws all his funds.

Thus, this issue and known issues are issues that have different root causes and require different handling as well.

Coded POC

create any test file and rename it —> copy this code —> run yarn test ‘path/test.test.ts’

Coded POC and result

Impact

1. Malicious actor can make many scam BuyerAgent, make profit from it, harm protocol and sellers

2. Honest seller waste funds for royaltyFee

Tools Used

Manual Review

Hardhat

Recommended Mitigation

1. Consider restrictions when creating a buyerAgent, 1 owner = 1 buyerAgent

2. Create a check owner must send funds at least == amountPerRound+ protocol fee