Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Refund Mechanism in Swan.sol:purchase Function

shahid

Summary

The purchase function lacks a refund mechanism in case one of the asset or payment transfers fails. If an error occurs during any part of the asset or fund transfer, the payment may be taken without the asset being transferred to them. This can result in a significant loss

Vulnerability Details

The following lines of code are involved in the transfer process without rollback or refund checks:

SwanAsset(_asset).transferFrom(listing.seller, address(this), 1);
SwanAsset(_asset).transferFrom(address(this), listing.buyer, 1);
// transfer money
token.transferFrom(listing.buyer, address(this), listing.price);
token.transfer(listing.seller, listing.price);

Impact

  • Buyer Funds Loss: If any transfer fails, the buyer may end up paying without receiving the asset, creating a financial risk.

  • Incomplete Transactions: The function may only partially complete the transaction, leaving the contract in an inconsistent state.

Tools Used

  • Manual code review.

Recommendations

  • Wrapping each transfer-related code line within require statements is a good strategy for ensuring that every transfer succeeds or the transaction will revert immediately if any of them fails or handle transfers in a way that enables rolling back if any part of the function fails.

Updates

Lead Judging Commences

inallhonesty Lead Judge
7 months ago
inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.