Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

H-02 Buyer Listing DoS Through Zero-Price Asset Spam

tychaios

Title

Buyer Listing DoS Through Zero-Price Asset Spam

Summary

A vulnerability has been identified in the Swan smart contract where malicious actors can prevent legitimate sellers from listing assets for a specific buyer by flooding the system with zero-price listings up to the maximum asset count limit.

Vulnerability Details

In Swan.sol:168, the contract validates that a seller cannot add a listing if the maxAssetCount for that particular buyer has been reached, which it's shared between all asset sellers, but it fails to properly validate listing conditions, allowing an attacker to exploit the listing system. The relevant code section checks the asset count limit:

if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {

revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);

}

The vulnerability exists because:

There is no minimum price requirement for listings
Listings with zero price don't incur fees
The system only enforces a maximum asset count per buyer per round
No limit exists on how many zero-price assets a single seller can list

An attacker can:

Create multiple listings priced at 0 for a target buyer
Fill up the entire maxAssetCount quota for that buyer's round
Effectively block legitimate sellers from listing assets

Impact

The impact of this vulnerability is severe:

Legitimate sellers are prevented from listing assets
Buyers cannot receive legitimate listings due to spam
Market functionality is compromised for targeted buyers
Potential for market manipulation and unfair competition

Tools Used

Manual Review

Recommendations

To address this vulnerability, consider implementing the following measures:

Minimum Price Requirements
- Implement a minimum price threshold for listings
- Ensure the minimum price covers at least the platform fees
if (_price < minimumListingPrice) {
revert PriceBelowMinimum(minimumListingPrice);
}
Seller Listing Limits
- Add per-seller limits for each buyer's round
mapping(address => mapping(address => mapping(uint256 => uint256))) sellerListingsPerBuyerRound;

function list(...) external {
// ... existing checks ...
if (sellerListingsPerBuyerRound[msg.sender][_buyer][round] >= maxListingsPerSeller) {
revert SellerListingLimitExceeded();
}
sellerListingsPerBuyerRound[msg.sender][_buyer][round]++;
}
Listing Fees
- Require a listing fee regardless of asset price
- This creates an economic disincentive for spam listings
uint256 listingFee = calculateListingFee(_price);
if (listingFee < minimumListingFee) {
listingFee = minimumListingFee;
}
token.transferFrom(msg.sender, address(this), listingFee);

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

DOS the buyer / Lack of minimal amount of listing price

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.