Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Old Asset Listing Not Removed During Relisting Process

n3smaro

Summary

The relist function in the Swan contract allows sellers to relist an asset for a new buyer and price. However, it does not remove or properly manage the old asset listing, which could lead to inconsistencies in the asset tracking and management within the contract.

Vulnerability Detail

When the relist function is executed, it updates the existing asset listing without removing the previous entry from the listings mapping. This means that:

The old asset listing remains in the contract, leading to potential confusion regarding the asset's current status.
The new listing is created, but the existing listing still exists, which could cause issues with tracking how many assets a buyer has across different rounds, especially if a buyer reaches their maxAssetCount limit due to old listings not being properly purged.

Additionally, the old asset listing is not properly accounted for in the assetsPerBuyerRound mapping. If the previous round's listings are not removed, it may allow a buyer to exceed their asset limit, potentially violating the platform’s intended constraints.

Impact

This oversight can lead to several significant issues:

Buyers may inadvertently exceed their allowed asset limit, resulting in unexpected behavior and potentially invalid transactions.
The integrity of the asset management system is compromised, as old listings can confuse users and misrepresent the actual ownership status of assets.

Tool used

Manual Code Review

Recommendation

Implement a mechanism to remove or properly manage the old asset listings when a new listing is created through the relist function. This could involve:

Deleting the old listing from the listings mapping and the assetsPerBuyerRound mapping for the previous round before creating the new listing.
Ensuring that asset counts are accurately tracked and enforced to prevent buyers from exceeding their maximum allowed assets.

By doing so, the contract will maintain a clear and accurate representation of asset ownership and enforce the intended asset limits, thus improving the overall integrity of the platform.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.