Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Unbounded Price Listings Enable Economic Manipulation

foxb868

Summary

Swan protocol allows asset listings with unbounded prices, including max_uint256, leading to arithmetic overflows in fee calculations and potential economic manipulation.

Vulnerability Details

https://github.com/Cyfrin/2024-10-swan-dria/blob/c3f6f027ed51dd31f60b224506de2bc847243eb7/contracts/swan/Swan.sol#L258-L261

// @bug: No maximum price validation allows listing with max_uint256 price

// This enables economic manipulation and potential overflow in fee calculations

function list(string calldata _name, string calldata _symbol, bytes calldata _desc, uint256 _price, address _buyer)

external {

// ...

// Price accepted without validation

listings[asset] = AssetListing({

price: _price, // Unbounded price stored

// ...

});

}

// @bug: Fee calculations can overflow with extreme prices

// When price is max_uint256, these calculations can overflow

function transferRoyalties(AssetListing storage asset) internal {

uint256 buyerFee = (asset.price * asset.royaltyFee) / 100; // Overflow risk

uint256 driaFee = (buyerFee * getCurrentMarketParameters().platformFee) / 100; // Cascade overflow

// Token transfers affected by incorrect calculations

// ...

}

// @bug: No price validation in relist allows circumventing any future price caps

function relist(address _asset, address _buyer, uint256 _price) external {

// ...

}

Impact Path:

User calls list() with max_uint256 price
Creates listing in listings mapping
Triggers transferRoyalties()
Affects fee calculations and token transfers

Impact

Economic Manipulation:

Malicious actors can list assets with extreme prices
This distorts the market dynamics and price discovery
Could be used to manipulate statistics or block other legitimate listings

Fee Calculation Issues:

Extreme prices lead to overflow in royalty calculations
Platform fees and buyer fees become unreliable
Could result in incorrect token transfers

Token Transfer Problems:

Extremely high prices may exceed token balances
Can cause failed transactions and waste gas
Potential DoS vector for legitimate market operations

The combination of these issues makes the protocol vulnerable to economic attacks and manipulation. The ability to list with arbitrary prices, including max_uint256, fundamentally undermines the economic security assumptions of the system.

Tools Used

Manual Review

Recommendations

Implement price validation in a modifier
Add slippage protection for buyers
Include price reasonability checks based on market parameters

contract Swan {

+ uint256 public constant MAX_PRICE = 1000000 ether; // Adjust based on token decimals

function list(...) external {

+ require(_price <= MAX_PRICE, "Price exceeds maximum");

// ... existing code

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.