Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Failure to Update seller Field After Purchase Allows Previous Owner to Retain Control and leading to loss of funds for the buyer

bhunter

Summary

Purchase() function is not updatinglistings mapping, allowing the previous creator to control the nft and also loss of funds for the buyer.

Vulnerability Details

A purchase can be made via purchase() method in buyerAgent.sol, which makes a call to same named function in swan contract. Let's look at the purchase() function in swan contract:

function purchase(address _asset) external {

AssetListing storage listing = listings[_asset];

// asset must be listed to be purchased

if (listing.status != AssetStatus.Listed) {

revert InvalidStatus(listing.status, AssetStatus.Listed);

}

// can only the buyer can purchase the asset

if (listing.buyer != msg.sender) {

revert Unauthorized(msg.sender);

}

// update asset status to be sold

listing.status = AssetStatus.Sold;

// transfer asset from seller to Swan, and then from Swan to buyer

// this ensure that only approval to Swan is enough for the sellers

SwanAsset(_asset).transferFrom(listing.seller, address(this), 1);

SwanAsset(_asset).transferFrom(address(this), listing.buyer, 1);

// transfer money

token.transferFrom(listing.buyer, address(this), listing.price);

token.transfer(listing.seller, listing.price);

emit AssetSold(listing.seller, msg.sender, _asset, listing.price);

}

the nft is transfered to listing.buyer, however the listings mapping is not updated to reflect that the new buyer is the asset's current owner. This means that after purchase, the seller field in listings[_asset] still references the original seller, not the new owner. There are two potential impacts in this case:)

The asset can be controlled by the previous creator(seller). For example the previous creator can relist the asset without consent of new owner
The buyer(new owner) can not list/relist the nft because of the way the functions are implemented. This will make the asset useless and means loss of funds for the buyer.

Impact

see above

Tools Used

Manual Review

Recommendations

update listings mapping to make sure the previous creator can not control the asset and also adjust the list() or relist() methods accordingly so that the new owner can use the asset for future listings

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.