Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Vulnerability in Asset Count Verification in list Function of swan.sol Contract

invcbull

Summary

In the list function of the Swan.sol contract, there exists a vulnerability related to the enforcement of the maximum asset count allowed per buyer in a given round. The current implementation checks whether the count of assets for a buyer in a round is equal to maxAssetCount, allowing an additional asset to be listed when the count exceeds the limit. This oversight can lead to the unintentional listing of more assets than permitted, creating potential financial discrepancies and exploit opportunities

Vulnerability Details

Code Snippet of Concern:

// asset count must not exceed `maxAssetCount`

if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {

revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);

}

The current condition only reverts the transaction when the count of assets for the buyer in the specified round is exactly equal to maxAssetCount. This allows the function to continue and list another asset if the count has already exceeded maxAssetCount, which is contrary to the intended logic expressed in the comment.

Impact

Violation of Asset Limits: The existing logic allows users to exceed the maximum asset count, potentially leading to an unregulated market environment.
User Confusion: Buyers might unintentionally create excess listings, resulting in confusion regarding the state of their assets and adherence to market rules.
Reputation Risk: If the protocol does not enforce expected limits, it may undermine user trust and confidence in the platform’s reliability.

Tools Used

Manual review

Recommendations

Modify the Condition: The conditional check in the list function should be updated to ensure that the count of assets for the buyer in the current round does not exceed maxAssetCount. The revised condition should look like this:

if (assetsPerBuyerRound[_buyer][round].length >= getCurrentMarketParameters().maxAssetCount) {

revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);

}

By implementing this change, the contract will correctly enforce the maximum asset count limit for each buyer in a round, preventing any unintended listings and maintaining the integrity of the asset management system.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

[INVALID] List unlimited items

SwanManager::setMarketParameters pushes the new parameters `marketParameters.push(_marketParameters);` After that, when user calls list the protocol computes the round and the phase `(uint256 round, BuyerAgent.Phase phase,) = buyer.getRoundPhase();` Inside the getRoundPhase function you have this if statement on top: `if (marketParams.length == marketParameterIdx + 1) {`. The setMarketParameters call changed the `marketParams` length, thing which will case the first case to be false and run the else statement. At the end of that statement we see there is a new round. So the second element of this check `(getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length` is zero, because the [round] is fresh.

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.