Submission Details
Severity:
`Swan.list()` Checks The `maxAssetCount` of The BuyerAgent Before The Addition of The New Listed Asset
## Summary
`Swan.list()` function checks for the buyers listed assets to be less than the `maxAssetCount` without counting the newly asset that is going to be listed .
## Vulnerability Details
- Sellers can list an asset/assets to any buyer agent via `Swan.list()`, where the seller determines to which agent this asset to be listed and for which price, and befor the asset is added to the `Swan.ssetsPerBuyerRound[_buyer][round]` of the buyer, a check is made to ensure that the currently listed assets number for this buyer at his current round doesn't exceed the maximum assets allowed to be listed for buyers determined by the current market parameters, **then** the asset is added/pushed to the buyer's array:
```javascript
function list(
string calldata _name,
string calldata _symbol,
bytes calldata _desc,
uint256 _price,
address _buyer
) external {
//...
if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {
revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);
}
// all is well, create the asset & its listing
address asset = address(swanAssetFactory.deploy(_name, _symbol, _desc, msg.sender));
listings[asset] = AssetListing({
createdAt: block.timestamp,
royaltyFee: buyer.royaltyFee(),
price: _price,
seller: msg.sender,
status: AssetStatus.Listed,
buyer: _buyer,
round: round
});
// add this to list of listings for the buyer for this round
assetsPerBuyerRound[_buyer][round].push(asset);
//...
}
```
## Impact
- As can be noticed; the check on the `assetsPerBuyerRound[_buyer][round].length` to be **less** than the `maxAssetCount` is done **before** pushing the new listed asset to the buyer's list, which would result in buyers being able to bypass the `maxAssetCount` check by one asset (having a total maximum listed asset of `maxAssetCount` instead of `maxAssetCount - 1`).
- Same issue in `Swan.relist()` function.
## Proof of Concept
[Swan.list function() / L168-L170](https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/Swan.sol#L168C9-L170C10)
```javascript
function list(
string calldata _name,
string calldata _symbol,
bytes calldata _desc,
uint256 _price,
address _buyer
) external {
//...
if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {
revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);
}
//...
// add this to list of listings for the buyer for this round
assetsPerBuyerRound[_buyer][round].push(asset);
//...
}
```
## Tools Used
Manual Review.
## Recommendations
Update `Swan.list()` function to check for the `maxAssetCount` accounting for the newly listed asset:
```diff
function list(
string calldata _name,
string calldata _symbol,
bytes calldata _desc,
uint256 _price,
address _buyer
) external {
//...
- if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {
+ if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length + 1) {
revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);
}
//...
}
```
Prize pool breakdown
Total prize
21,000 USDC
nSLOC
1,03420 USDC / LOC
20,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.