Dria

Denial of Service in Listing via Spam Assets Listing

Summary

A Denial of Service (DoS) vulnerability has been identified in the Swan::list function of the smart contract. The vulnerability allows an attacker to exploit the asset listing limit (maxAssetCount) to prevent legitimate users from listing assets by listing spam assets. By repeatedly calling the list function with low-cost or zero-priced assets, an attacker can fill the assetsPerBuyerRound array for a specific buyer, blocking any valid asset listings for that buyer in the current round.

Vulnerability Details

The vulnerability exists in the list function, which enforces a limit on the number of assets that sellers can list per round on behalf of a designated buyer using the maxAssetCount parameter from SwanMarketParameters. The limit is verified with the following condition:
https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/swan/Swan.sol?plain=1#L168-L170

If the number of assets in assetsPerBuyerRound reaches maxAssetCount for a particular buyer and round, further listings are blocked. An attacker can exploit this by listing spam assets (priced at zero or near zero to avoid fees), quickly filling the assetsPerBuyerRound array and preventing legitimate asset listings for that buyer. This attack requires only the gas fees to be paid, making it relatively low-cost and feasible for repeated use.

Impact

The impact of this vulnerability is a Denial of Service (DoS) against legitimate users trying to list assets for a specific buyer within a round. By exploiting this issue, an attacker can effectively block legitimate business operations, preventing users from listing their assets. Since the attack requires minimal cost, primarily consisting of gas fees, it is feasible for malicious users to execute this attack repeatedly across multiple rounds.

Attack Path

• The attacker waits for the targeted buyer's round to start.

• The attacker then starts listing spam assets with zero or near-zero price until the maxAssetCount is reached.

• As a result, legitimate users cannot list any more assets for that buyer in that round.

• The attacker can repeat this process for each new round, effectively causing a denial of service for the targeted buyer at all times.

Tools Used

Manual review

Recommendations

There are no specific recommendations since this issue is a logical error in the design and not a bug in the implementation.

POC

There is no need for a dedicated Proof of Concept since the behavior can be demonstrated through existing tests in Swan.test.ts:

https://github.com/Cyfrin/2024-10-swan-dria/blob/main/test/Swan.test.ts?plain=1#L167 : it("should list 5 assets for the first round") test successfully adds assets.

https://github.com/Cyfrin/2024-10-swan-dria/blob/main/test/Swan.test.ts?plain=1#L193 : it("should NOT allow to list an asset more than max asset count") test correctly reverts on AssetLimitExceeded error.

These tests prove that the code functions as intended, but the problem lies in the fact that an attacker can deliberately fill the asset limit, highlighting the logical error in the system.