An attacker can block a buyer from purchasing essential assets.
Summary
An attacker can use the list() function to create assets with _price = 0, avoiding any fees. By creating many such listings, the attacker can fill up the buyer’s maxAssetCount limit, preventing them from buying assets from other users.
Vulnerability Details
This mapping in swan.sol is used to ensure that buyers do not exceed the maxAssetCount when listing or relisting assets.
If a buyer agent has a low royaltyFee, or while creating an asset _price = 0 fee will be zero so an attacker could create many listings for that buyer. This would allow the buyer to reach the maxAssetCount limit, preventing them from purchasing assets from other users.
if the _price = 0 while creating a list the buyerFee and driaFee also, becoming Zero means an attacker can create unlimited assets to prevent others from selecting him for buying assets.
https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/swan/Swan.sol#L168
Impact
The buyer will be unable to purchase necessary assets, and other users won’t be able to select the buyer for their assets either.
Recommendations
There are two ways to solve this issue:
1- A minimum price for a listing
2- adding a restriction to limit the number of assets a user can list for each buyer in a given round.
Lead Judging Commences
DOS the buyer / Lack of minimal amount of listing price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.