Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Operators can't call purchase function

yaioxy

Summary

The BuyerAgent contract contains a permission inconsistency in its purchase functionality where operators are granted access but will always fail at the Swan contract level.

Vulnerability Details

The BuyerAgent.purchase() function can be called by both owner and operators (through onlyAuthorized modifier). However, Swan.purchase() has a strict check requiring msg.sender to be the listing.buyer. This means operators will always fail at the Swan contract level, making the operator permission in BuyerAgent effectively useless for purchases.

In BuyerAgent contract:

function purchase() external onlyAuthorized {
// ...
swan.purchase(asset); // This call will fail for operators
}

Swan.sol contract

function purchase(address _asset) external {
// ...
if (listing.buyer != msg.sender) {
revert Unauthorized(msg.sender);
}
}

This creates a situation where operators can initiate purchases that will inevitably fail.

Impact

Operators can't call the purchase function

Tools Used

Manual review

Recommendations

In Swan::purchase add authorization for operator

function purchase(address _asset) external {
// ...
- if (listing.buyer != msg.sender) {
+ if (listing.buyer != msg.sender && !swan.isOperator(msg.sender)) {
revert Unauthorized(msg.sender);
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.