Dria

Swan
NFTHardhat
21,000 USDC
View results
Submission Details
Severity: low
Invalid

`Swan.list()` Checks The `maxAssetCount` of The BuyerAgent Before The Addition of The New Listed Asset

## Summary
`Swan.list()` function checks for the buyers listed assets to be less than the `maxAssetCount` without counting the newly asset that is going to be listed .
## Vulnerability Details
- Sellers can list an asset/assets to any buyer agent via `Swan.list()`, where the seller determines to which agent this asset to be listed and for which price, and befor the asset is added to the `Swan.ssetsPerBuyerRound[_buyer][round]` of the buyer, a check is made to ensure that the currently listed assets number for this buyer at his current round doesn't exceed the maximum assets allowed to be listed for buyers determined by the current market parameters, **then** the asset is added/pushed to the buyer's array:
```javascript
function list(
string calldata _name,
string calldata _symbol,
bytes calldata _desc,
uint256 _price,
address _buyer
) external {
//...
if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {
revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);
}
// all is well, create the asset & its listing
address asset = address(swanAssetFactory.deploy(_name, _symbol, _desc, msg.sender));
listings[asset] = AssetListing({
createdAt: block.timestamp,
royaltyFee: buyer.royaltyFee(),
price: _price,
seller: msg.sender,
status: AssetStatus.Listed,
buyer: _buyer,
round: round
});
// add this to list of listings for the buyer for this round
assetsPerBuyerRound[_buyer][round].push(asset);
//...
}
```
## Impact
- As can be noticed; the check on the `assetsPerBuyerRound[_buyer][round].length` to be **less** than the `maxAssetCount` is done **before** pushing the new listed asset to the buyer's list, which would result in buyers being able to bypass the `maxAssetCount` check by one asset (having a total maximum listed asset of `maxAssetCount` instead of `maxAssetCount - 1`).
- Same issue in `Swan.relist()` function.
## Proof of Concept
[Swan.list function() / L168-L170](https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/Swan.sol#L168C9-L170C10)
```javascript
function list(
string calldata _name,
string calldata _symbol,
bytes calldata _desc,
uint256 _price,
address _buyer
) external {
//...
if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {
revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);
}
//...
// add this to list of listings for the buyer for this round
assetsPerBuyerRound[_buyer][round].push(asset);
//...
}
```
## Tools Used
Manual Review.
## Recommendations
Update `Swan.list()` function to check for the `maxAssetCount` accounting for the newly listed asset:
```diff
function list(
string calldata _name,
string calldata _symbol,
bytes calldata _desc,
uint256 _price,
address _buyer
) external {
//...
- if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {
+ if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length + 1) {
revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);
}
//...
}
```
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.