Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

A malicious attacker can DOS the buyer by listing assets at 0 price

anonymousjoe

Summary

A malicious attacker can create many assets(of 0 value) and list it to the buyer he wants to DOS for 0 price(so that the attacker has to pay 0). Thus essentially DOS'ing the buyer for that round. This can be repeated for every round to make the buyer not able to receive any proper assets.

Vulnerability Details

In the list()function there exists no check to ensure the price > 0. This makes it possible to list useless assets (assets which will have no value : giving garbage values for name and description) at 0 price to a buyer you want to DOS.

When the list()function is called maxAssetCountnumber of times. The buyer wont be able to receive further listings in this round. Thus essentially the buyer cant participate to purchase anything ever. (this can be carried out during every round for almost 0 cost => only gas cost applies to the attacker).

// asset count must not exceed `maxAssetCount`

if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {

revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);

}

(https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/Swan.sol#L167-L170)

Further, since the fees is calculated from the price listed by the attacker, he can just set the price as 0, so as to list the assets for no cost.

/// @notice Function to transfer the royalties to the seller & Dria.

function transferRoyalties(AssetListing storage asset) internal {

// calculate fees

uint256 buyerFee = (asset.price * asset.royaltyFee) / 100; // will become 0 since price is 0

uint256 driaFee = (buyerFee * getCurrentMarketParameters().platformFee) / 100;

// first, Swan receives the entire fee from seller

// this allows only one approval from the seller's side

token.transferFrom(asset.seller, address(this), buyerFee);

// send the buyer's portion to them

token.transfer(asset.buyer, buyerFee - driaFee);

// then it sends the remaining to Swan owner

token.transfer(owner(), driaFee);

}

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/Swan.sol#L258-L272

Impact

Since this method to DOS the buyer indefinetely can be done with minimal costs (gas cost : which is very less in BASE), the likelihood is high, and so is the impact (complete DOS of the buyer). Thus the severity should be high.

Tools Used

Manual review

Recommendations

Set a minimum price for listing assets. This will ensure that this particular attack is less incentivized.
Or limit the number of times a seller can list for a certain buyer.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

DOS the buyer / Lack of minimal amount of listing price

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.