Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Logical Flaw in Asset Listing due to Market Parameter Changes in maxAssetCount

mohammadx2049

Summary

A logical flaw exists in the list function of the swan smart contract that arises when the market parameters are updated, specifically when the maxAssetCount parameter is decreased to a value lower than the existing number of listed assets for a particular round. This allows the addition of an unlimited number of assets in that round, leading to an uncontrolled asset listing scenario.

Vulnerability Details

The issue occurs in the following condition within the list function https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/swan/Swan.sol?plain=1#L168-170 :

if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {

revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);

}

If the market parameter maxAssetCount changes to a value lower than the current number of assets already listed for that buyer in a particular round, this check no longer prevents additional assets from being listed. For instance, if assetsPerBuyerRound[_buyer][round].length is 5 and the maxAssetCount is subsequently decreased to 3, the equality condition will never be true. Therefore, further listings are allowed, and the number of assets for that round can exceed the new limit without bounds, effectively allowing infinite asset listings.

Impact

This logical flaw can lead to uncontrolled asset listing during a round, where the intended maximum limit (maxAssetCount) becomes ineffective due to changes in market parameters. This undermines the integrity of the maxAssetCount mechanism, resulting in a situation where an attacker or user can list an infinite number of assets in a given round, even after the maxAssetCount has been lowered.

Tools Used

Manual review

Recommendations

To resolve this issue, change the condition from == to >= to ensure that additional assets cannot be listed when the current number of assets exceeds the new maxAssetCount.

if (getCurrentMarketParameters().maxAssetCount >= assetsPerBuyerRound[_buyer][round].length) { ... }

^^^^

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

[INVALID] List unlimited items

SwanManager::setMarketParameters pushes the new parameters `marketParameters.push(_marketParameters);` After that, when user calls list the protocol computes the round and the phase `(uint256 round, BuyerAgent.Phase phase,) = buyer.getRoundPhase();` Inside the getRoundPhase function you have this if statement on top: `if (marketParams.length == marketParameterIdx + 1) {`. The setMarketParameters call changed the `marketParams` length, thing which will case the first case to be false and run the else statement. At the end of that statement we see there is a new round. So the second element of this check `(getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length` is zero, because the [round] is fresh.

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.