Dria

Swan
NFTHardhat
21,000 USDC
View results
Submission Details
Severity: medium
Valid

A Malicious Lister Can Execute A Griefing Attack that can Harm the buyers in the Swan Protocol

Summary
A malicious lister can spam buyers in the protocol with the function listby listing them unwanted assets continuously, they do this by setting the asset value to as low as 1 wei(due to the asset value being 1 wei they avoid paying both the buyer and protocol(dria) fee), a buyer having limited assets that can be listed to them at each round due to uint256 maxAssetCount; Therefore this malicious lister can spam by listing assets worth 1 wei(they can execute this as its really cheap to do because it mainly costs them transaction fees which is negligible in Base L2) now because this has happend the buyer would not want to buy anything this malicious lister has listed them(reason being the malicious lister will list assets completely unwanted and unrelated to the ai agent of the buyer) so now if the buyer wants nothing from this list they have to wait for the whole round to be completed so that they can change their state back to sell However, the malicious attacker can keep repeating this(even having the power to grief multiple number of buyers all at the same time) thus completely griefing the buyers in the protocol.

Vulnerability Details
Example of this attack -
Lets say there are 3 buyer agents in the protocol that are insellphase they all have uint256 maxAssetCount;= 5 (only 5 assets can be listed to them during the duration of 1 round) and lets assume all have set there fee royalty to 5%
A malicious lister sees this and wants to grief all 3 of these buyers
- So first the lister calls the function list https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/swan/Swan.sol#L157
- In the input the malicious lister first set the address of the first buyer
- The malicious lister sets the price of listed asset to 1 wei, which results in a 5% fee royalty that rounds down to 0 wei (essentially bypassing the fee for each listing).This happens in the line transferRoyalties(listings[asset]); and then the function https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/swan/Swan.sol#L258
POC of how it will round down in such a case -
asset.price = 1 wei

asset.royaltyFee = 5 (representing 5%)

platformFee = 1 (representing 1%) (just an example of platform fees it will be the same outcome for any value set by the protocol)

buyerFee = (asset.price * asset.royaltyFee) / 100
= (1 wei * 5) / 100
= 5 / 100
= 0 wei
driaFee = (buyerFee * platformFee) / 100
= (0 wei * 1) / 100
= 0 / 100
= 0 wei

Since buyerFee is 0, driaFee also results in 0 wei.
Asset Limit Exploitation : The lister repeats this process 5 times, listing exactly 5 assets (reaching the maxAssetCount) for the first victim buyer in this round.

-Moving to the next buyer agent After filling the first buyer's asset count, the attacker repeats the same steps for the remaining 2 buyers.(same attack as above for both of the remaining 2 buyers)
Note-(whatever they have set there _feeroyaltypercentage too it will always round down to 0 as the asset.pricebeing 1 wei)

Each buyer is now "griefed" with 5 assets that they do not want(short example of this can be lets say one of the buyer agent was named harry potter, the malicious lister listed this agent with non related assets for example a graphics card, a motherboard or anything else which is non related.

Note - The number of buyers and maxAssetCountcan differ but this attack path will still work(it can potentially work for N amount of buyers in the protocol that are in the Sell phase)-

As each of the buyer have reached their maxAssetCount for the current round, they cannot receive any new, legitimate listings until the round ends.
The buyers must now wait for the round to end to go to the sellphase again.
Note- The attacker can also keep repeating this process again and again even after the buyer enters the new round. As (The attacker’s total cost is limited to gas fees, which are very low on Base L2, making this attack cheap and also the malicious lister bypass paying fees(to the protocol and the buyer agent) due to the negligible(1 wei) asset price thus the malicious lister avoid paying any meaningful protocol or buyer fees

Impact-
There are a few things that are getting impacted by this attack -
Impact on the buyers-

Buyers are unable to buy meaningful assets since their maxAssetCount is filled with low-value, irrelevant listings. This deprives them of profitable opportunities and effectively blocks their participation in the protocol until the current round ends. (lets say someone wanted to list them a asset worth 1weth(which they wanted also) and the _feeroyalty was 5% they would have gotten 5% of 1weth instantly(due to the function list) regardless if they would have bought this asset or not but they could not get this oppurtunity as there maxasset count was filled

Repeated instances of receiving spam listings may discourage buyers from using the platform, affecting user satisfaction and trust in the protocol.

Forced wait - Buyers are forced to wait through the entire round before they can transition back to the sell phase. This results in wasted time and potential financial loss, as they cannot act on legitimate listing opportunities(above example)

The buyers will also not gain any buyerfee due to the asset price being = 1 wei thus rounding down.
Impact on Protcol -
The protocol relies on a percentage of the listing fee as one of the revenue source. Since the malicious listings are priced at 1 wei (resulting in a fee of effectively 0 wei), the protocol misses out on these fees, impacting its revenue model.They also miss out on the fees of the legitimate listers who could not list due to maxAssetCount of the buyers being full with spam listings all the time.

Tools Used -

Manual Analysis

Recommendations
Set a floor price or a minimum fee that listers must pay per asset listing to ensure meaningful participation
Track listings per lister and impose limits or incremental fees on excessive listings, especially with low-value assets

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

DOS the buyer / Lack of minimal amount of listing price

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.