Summary

If the admin calls the setOracleParameters function to increase the Fee before the user makes a buy call, the buyer may not have enough funds when calling the purchase function, leading to a failure. As a result, both the seller and the buyer will have paid fees without completing the transaction.

Vulnerability Details

Background:

1. The basic call sequence for a purchase is: the seller lists items and pays the listing fee during the sell phase, the buyer makes a purchase request and pays the oracleFee during the buy phase, and then the purchase function is called to execute the transaction.

2. The owner of swan can modify some parameters of the oracle through the setOracleParameters function, which might make the oracleFee higher.

3. When the setOracleParameters function is called, not all Agents are in the same phase; they are each in their own different phases.

4. If a user does not withdraw during the Withdraw phase, they need to keep enough funds to complete the next buy. This "enough" is calculated based on the current OracleParameters.

5. Sellers need to pay a fee when listing during their selling cycle. Buyers also need to pay a fee when making an oraclePurchaseRequest call.

Here’s a possible scenario:

1. A buyer withdraws all available funds during the sell phase.

2. Then, the owner of swan calls the setOracleParameters function to increase the complexity of the oracle (since the cycles of all agents are not synchronized, the owner cannot control the timing of the call).

3. The user normally performs an oraclePurchaseRequest, but when it reaches the purchase function, the call reverts due to insufficient agent funds.

4. This results in a loss of fees for both the buyer and the seller.

Impact

This results in a loss of fees for both the buyer and the seller.

Tools Used

manual

Recommendations

It is recommended to bind oracleParameters to the user, updating the current oracleParameters when updating the state and not changing them within the transaction cycle.