Dria

Summary

Malicious seller can prevent honest buyerAgent purchasing the NFT he needs by listing many useless NFTs with a price == 0 until assetsPerBuyerRound reaches maximum value and another seller can’t list on that honest buyerAgent

Vulnerability Details

Schema :

1. Honest owner of buyerAgent deploy buyerAgent with description :

   backstory : “Dr.EscalateForMyMoney during developments in brain surgery”

   objective : “to become number 1 brain surgery Doctor”

2. Malicious seller monitor the buyerAgent deployment contract and find out the address and detailed description (backstory, objective) of the buyerAgent

3. Malicious seller listing NFT with description “tractor” (or any unrelevant description) and keep listing until honest buyerAgent reaches maximum value of assetsPerBuyerRound

4. In that way, the honest buyerAgent never get the NFT he want

5. This attack can be repeated for every round

Coded POC

create any test file and rename it —> copy this code —> run yarn test ‘path/test.test.ts’

Coded POC and result

Impact

For protocol :

Loss protocol selling fee because NFT price = 0 and give free NFT to honest buyAgent if he kept buying those NFT

For honest buyerAgent :

it is true that he received a lot of NFTs if he kept buying them (price = 0), but he did not get the NFTs he needed and he need paying purchase fee (protocol fee, generator fee, and validator fee)

For Malicious seller :

No risk, because this attack can be executed freely with no capital and can repeat any round for any buyerAgent

Tools Used

Manual Review

Recommended Mitigation

1. Consider limit each seller when listing NFT assets, (i.eseller can list max 5 NFT per round)

2. Consider adding a check for NFT price ≠ 0