Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Buyer agent cannot limit or choose the asset they want to purchase

danzero

Summary

Buyer agent cannot limit or choose on what asset to be purchased which could cause out of gas error if the response contain too many assets to purchase.

Vulnerability Details

The purchasefunction in the BuyerAgent.solis used by buyer agent to purchase asset based on the best response given by the LLM oracle generators.

Impact

Buyer agent cannot purchase asset on that round and as a result waste their funds for the oracle request.

POC

Below is a snippet of the purchasefunction:

function purchase() external onlyAuthorized {

// check that we are in the Buy phase, and return round

(uint256 round,) = _checkRoundPhase(Phase.Buy);

// check if the task is already processed

uint256 taskId = oraclePurchaseRequests[round];

if (isOracleRequestProcessed[taskId]) {

revert TaskAlreadyProcessed();

}

// read oracle result using the latest task id for this round

bytes memory output = oracleResult(taskId);

address[] memory assets = abi.decode(output, (address[]));

// we purchase each asset returned

for (uint256 i = 0; i < assets.length; i++) {

address asset = assets[i];

// must not exceed the roundly buy-limit

uint256 price = swan.getListingPrice(asset);

spendings[round] += price;

if (spendings[round] > amountPerRound) {

revert BuyLimitExceeded(spendings[round], amountPerRound);

}

// add to inventory

inventory[round].push(asset);

// make the actual purchase

swan.purchase(asset);

}

// update taskId as completed

isOracleRequestProcessed[taskId] = true;

}

As seen above, the assetsvariable which is the list of assets to be purchased by the buyer agent is decoded from the outputvariable which comes from the best response of the LLM oracle generators.

This is a problem if the response contain many assets that the buyer must purchase as this could cause out of gas error and revert the transaction.

Tools Used

Manual review

Recommendations

In the purchase function, add parameter to limit or choose what asset the buyer agent can purchase.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.