Precision Loss Enables Attackers to DoS Buyers and Sellers, Bypassing Royalty Fees
Summary
The protocol lacks a minimum price check for listed assets, enabling attackers to list items at extremely low prices (e.g., 1 wei or free). This causes royalty fees to round down to zero in the transferRoyalties method, allowing attackers to avoid paying royalties while flooding the purchase list with worthless assets up to the limit.
Vulnerability Details
The protocol sets a cap on the number of items that can be listed per round for a buyer (Swan.sol#L168-L169). However, there is no minimum price check for assets, allowing an attacker to list assets at a price as low as 1 wei—or even 0 wei. In the transferRoyalties method, such low prices cause royalty fees to round down to zero, effectively letting an attacker list assets without paying royalties, incurring only the gas fees (Swan.sol#L260).
For example, consider an asset priced at 9 wei with a 10% royalty fee:
Since Solidity does not support floating-point numbers, the buyerFee is truncated to zero, allowing the transaction to bypass royalty fees.
This makes it cheap to abuse the protocol by flooding it with worthless assets.
Impact
Buyers are unable to find suitable assets for purchase, and sellers cannot effectively list their items for potential buyers.
Tools Used
Manual review
Recommendations
Introduce a minimum price requirement for asset listings to prevent assets from being listed at unreasonably low prices.
Lead Judging Commences
Rounding Issue in `Swan.sol::transferRoyalties` function
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.