Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

H-03 Buyer DoS Through Zero-Price Relisting Manipulation

tychaios

Summary

A vulnerability has been identified in the Swan smart contract where attackers can deny service to buyers by repeatedly relisting assets at zero price, avoiding paying fees while filling up the buyer's asset quota for a given round.

Vulnerability Details

In Swan.sol, the contract's relisting mechanism contains a significant vulnerability in how it handles zero-price relistings and royalty calculations. The relevant code section shows:

// buyer must not have more than `maxAssetCount` many assets

uint256 count = assetsPerBuyerRound[_buyer][round].length;

if (count >= getCurrentMarketParameters().maxAssetCount) {

revert AssetLimitExceeded(count);

}

// create listing

listings[_asset] = AssetListing({

createdAt: block.timestamp,

royaltyFee: buyer.royaltyFee(),

price: _price,

seller: msg.sender,

status: AssetStatus.Listed,

buyer: _buyer,

round: round

});

// add this to list of listings for the buyer for this round

assetsPerBuyerRound[_buyer][round].push(_asset);

// ...

The vulnerability exists because:

Assets can be relisted at a price of 0
Royalty fees are calculated as a percentage of the price, so zero-price listings result in zero royalties
Each relisting adds another entry to assetsPerBuyerRound regardless of price
No cost is incurred by the attacker when relisting at zero price
Previous listings remain in the array, contributing to the maxAssetCount limit

An attacker can exploit this by:

Accumulating multiple unsold assets
Repeatedly relisting these assets at zero price
Avoiding any royalty payments due to the zero price
Filling up the buyer's asset quota for the round with zero-price listings

Impact

Buyers can be denied service for entire rounds
Legitimate sellers are blocked from listing assets
Platform royalty mechanism is circumvented
Zero cost to execute the attack (besides the transaction cost)

Tools Used

Manual Review

Recommendations

To address this vulnerability, consider implementing the following measures:

Minimum Price and Royalty Requirements

function relist(address _asset, address _buyer, uint256 _price) external {
require(_price >= minimumListingPrice, "Price too low");
uint256 minRoyalty = calculateMinimumRoyalty();
require((_price * buyer.royaltyFee()) / 10000 >= minRoyalty,
"Royalty too low");
// ... rest of the relisting logic
}
Fixed Relisting Fee

uint256 constant RELIST_FEE = 0.01 ether; // Example fee

function relist(address _asset, address _buyer, uint256 _price) external {
// Charge a fixed fee regardless of price
token.transferFrom(msg.sender, address(this), RELIST_FEE);
// ... rest of the relisting logic
}

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

DOS the buyer / Lack of minimal amount of listing price

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.