Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Buyer's rounds can be DoSed due to improper `maxAssetCount` check

tejaswarambhe

Summary

A Buyer's rounds can be DoSed (Denial-of-service) due to a strict maxAssetCount check against total assets listed.

Vulnerability Details

A Seller can list assets to the buyer using the Swan::list and Swan::relist functions.

The issue here is that it implements a check against all the total listings of that particular round against maxAssetCount.

// Swan::list

if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) { <@ // Checks against all assets listed to this buyer

revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);

}

// Swan::relist

uint256 count = assetsPerBuyerRound[_buyer][round].length;

if (count >= getCurrentMarketParameters().maxAssetCount) { <@ // Checks against all assets listed to this buyer

revert AssetLimitExceeded(count);

}

A malicious actor can DoS these functions by listing assets with dust or 0 value ensuring no genuine seller gets to list to that particular buyer.

Proof of Concept

Replace the function in the test/Swan.test.ts file at L167.

it("should list 5 bogus assets for the first round", async function () {

await listAssets(

swan,

buyerAgent,

[

[seller, parseEther("0")],

"useless",

ethers.encodeBytes32String("useless description"),

);

// genuine seller trying to list an asset would fail

await expect(swan.connect(seller).list(NAME, SYMBOL, DESC, PRICE1, await buyerAgent.getAddress()))

.to.be.revertedWithCustomError(swan, "AssetLimitExceeded")

.withArgs(MARKET_PARAMETERS.maxAssetCount);

});

Impact

Leads to Denial of service for the buyer agent.

Tools Used

Manual Review + Hardhat

Recommendations

Consider implementing a seller => buyer => round mapping to avoid checking against total listings.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

DOS the buyer / Lack of minimal amount of listing price

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.