Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Buyer can skip buying NFTs

pyro

Summary

Buyer can skip buying NFTs

Vulnerability Details

The system implements list and relist, which allow sellers to list special NFTs useful to the stories of each buyer. On each listing or re-listing, sellers are forced to pay a fixed percentage of their item price to the buyer:

function list(...) external {

BuyerAgent buyer = BuyerAgent(_buyer);

(uint256 round, BuyerAgent.Phase phase,) = buyer.getRoundPhase();

if (phase != BuyerAgent.Phase.Sell) {

revert BuyerAgent.InvalidPhase(phase, BuyerAgent.Phase.Sell);

}

if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {

revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);

}

address asset = address(swanAssetFactory.deploy(_name, _symbol, _desc, msg.sender));

listings[asset] = AssetListing({

createdAt: block.timestamp,

royaltyFee: buyer.royaltyFee(),

price: _price,

seller: msg.sender,

status: AssetStatus.Listed,

buyer: _buyer,

round: round

});

assetsPerBuyerRound[_buyer][round].push(asset);

@> transferRoyalties(listings[asset]);

emit AssetListed(msg.sender, asset, _price);

}

function transferRoyalties(AssetListing storage asset) internal {

@> uint256 buyerFee = (asset.price * asset.royaltyFee) / 100;

uint256 driaFee = (buyerFee * getCurrentMarketParameters().platformFee) / 100;

token.transferFrom(asset.seller, address(this), buyerFee);

token.transfer(asset.buyer, buyerFee - driaFee);

token.transfer(owner(), driaFee);

}

However buyers are not enforced or incentivized to buy items, which enables them to just skip a round and earn all of the profits, from seller listing, while paying nothing to them.

This will remove any fun from the game as one party can chose to participate whenever they want.

Impact

Sellers would sell their NFTs and pay buyers a percentage fee from the price, but buyer will not buy the assets, making the fee in return.

Tools Used

Manual review

Recommendations

With the current system design I am not able to provide simple resolution to this issue.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.