function list
by listing them unwanted assets continuously, they do this by setting the asset value to as low as 1 wei(due to the asset value being 1 wei they avoid paying both the buyer and protocol(dria) fee)
, a buyer having limited assets that can be listed to them at each round due to uint256 maxAssetCount;
Therefore this malicious lister can spam by listing assets worth 1 wei(they can execute this as its really cheap to do because it mainly costs them transaction fees which is negligible in Base L2) now because this has happend the buyer would not want to buy anything this malicious lister has listed them(reason being the malicious lister will list assets completely unwanted and unrelated to the ai agent of the buyer) so now if the buyer wants nothing from this list they have to wait for the whole round to be completed so that they can change their state back to sell
However, the malicious attacker can keep repeating this(even having the power to grief multiple number of buyers all at the same time) thus completely griefing the buyers in the protocol.sell
phase they all have uint256 maxAssetCount;
= 5 (only 5 assets can be listed to them during the duration of 1 round) and lets assume all have set there fee royalty to 5%function list
https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/swan/Swan.sol#L157transferRoyalties(listings[asset]);
and then the function https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/swan/Swan.sol#L258asset.price = 1 wei
asset.royaltyFee = 5
(representing 5%)platformFee = 1 (representing 1%) (just an example of platform fees it will be the same outcome for any value set by the protocol)
buyerFee
is 0
, driaFee
also results in 0 wei
.maxAssetCount
) for the first victim buyer in this round._feeroyalty
percentage too it will always round down to 0 as the asset.price
being 1 wei)maxAssetCount
can differ but this attack path will still work(it can potentially work for N amount of buyers in the protocol that are in the Sell
phase)-maxAssetCount
for the current round, they cannot receive any new, legitimate listings until the round ends.sell
phase again.maxAssetCount
is filled with low-value, irrelevant listings. This deprives them of profitable opportunities and effectively blocks their participation in the protocol until the current round ends. (lets say someone wanted to list them a asset worth 1weth(which they wanted also) and the _feeroyalty was 5% they would have gotten 5% of 1weth instantly(due to the function list
) regardless if they would have bought this asset or not but they could not get this oppurtunity as there maxasset count was filled sell
phase. This results in wasted time and potential financial loss, as they cannot act on legitimate listing opportunities(above example)maxAssetCount
of the buyers being full with spam listings all the time.The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.