Dria

Swan
NFTHardhat
21,000 USDC
View results
Submission Details
Severity: low
Invalid

The protocol claims to support ETH as a payment token but it doesn't

Summary

According to the Readme, the protocol supports ETH as a payment token:

ERC-20 (ETH, WETH): Payments within Swan are made with an ERC20 compatible token. Oracle fees are also paid with such.

However this is not the case. If we start with the transferRoyalties() function, which is called within the list() and relist() functions, the asset creator can't pay the fees with ETH.

function transferRoyalties(AssetListing storage asset) internal {
// calculate fees
uint256 buyerFee = (asset.price * asset.royaltyFee) / 100;
uint256 driaFee = (buyerFee * getCurrentMarketParameters().platformFee) / 100;
// first, Swan receives the entire fee from seller
// this allows only one approval from the seller's side
token.transferFrom(asset.seller, address(this), buyerFee);
// send the buyer's portion to them
token.transfer(asset.buyer, buyerFee - driaFee);
// then it sends the remaining to Swan owner
token.transfer(owner(), driaFee);
}

It is the same case with the purchase() function:

function purchase(address _asset) external {
...
// transfer money
token.transferFrom(listing.buyer, address(this), listing.price);
token.transfer(listing.seller, listing.price);
...
}

All instances of the BuyerAgent.sol contract can't receive ETH as there is no receive() function implemented. Additionally the withdraw() and the treasury() functions can't withdraw ETH and can't calculate the balance of EHT the contract could potentially hold respectively.

The register() and unregister() function in the LLMOracleRegistry.sol contract also doen't support ETH in order to pay for registration, and later on withdraw the stake.

The LLMOracleCoordinator.sol contract also doesn't support ETH. In the request() function, the buyer agent can't pay the fee with ETH only with ERC20 tokens. The respond() and the validate() functions both call the _increaseAllowance() function which only increases the allowance for a certain ERC20 token. The withdrawPlatformFees() function also doesn't allow for ETH to be withdrawn.

Vulnerability Details

Impact

Tokens that the protocol team claims should be supported are not.

Tools Used

Manual review

Recommendations

Support ETH as a payment token, check if the token address is 0 for example, and then use the low level call to transfer the tokens, be careful not to introduce reentrancy vulnerabilities.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[INVALID] ETH not supported as payment method

Contest details specifically state that: "Payments within Swan are made with an ERC20 compatible token", WETH's address is mentioned as well. Everything is done through ERC20 functionality.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.