Sellers can fill up buyers request with useless and cheap items to force them to buy the expensive one
Summary
Sellers can fill up buyers request with useless and cheap items to force them to buy the expensive one.
Vulnerability Details
list is used by sellers to fulfill a buyer requests for story items by listing a specific item with it's own description and everything. Where each listing will cost the seller some percentage of the price. Notice that this function has maxAssetCount which would prevent sellers from listing more than maxAssetCount items per rounds for each buyer.
In order for sellers to guarantee their profit they can fill any buyer asset slots with useless cheap items and leave only 1 that is matching the story that is actually gonna be useful. This will prevent any other sellers from placing a meaningful and well priced item that will help expand the story.
Example:
Buyer story is a surgeon who is performing a heart operation
He has 10 open slots
Sell round begins and a Alice lists 1 item to be "Sharp scalpel"
Alice lists the other 9 items to be:
"Intergalactic cosmic chicken who lives in Alpha Centauri, only reachable by interdenominational travel, currently not invented by any man"
This way the buyer won't have much of a choice, and if the rounds include validators, the only asset with reasonable score would the "Sharp scalpel"
Impact
Buyer AI is forced to buy the one item that suits it, which would of course be the most expensive one.
Tools Used
Manual review
Recommendations
Remove the cap limit, as the buyer already has a max spending cap.
Lead Judging Commences
DOS the buyer / Lack of minimal amount of listing price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.