Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

A Malicious Seller could populate Buyers round with spam assets

0xhacksmithh

Summary

Refer Details section

Vulnerability Details

list() allow buyers to list there assets for a Buyer

And there is check that ensure perticular a no. of assets per Buyers's round

if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {

revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);

}

https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/swan/Swan.sol#L167-L170

A malicious Seller could list a no. of spam assets for Buyers for each round, so that this limit fullfilled and Other genuine Sellers couldn't able to list there assets for that Buyer.

Note :: As here price of listing assets decided by Seller, So he can set it to 0(as no 0 amount checked) , in result fee to platform & `fee to Buyer` will be zero

function list(string calldata _name, string calldata _symbol, bytes calldata _desc, uint256 _price, address _buyer)

external

{

BuyerAgent buyer = BuyerAgent(_buyer);

(uint256 round, BuyerAgent.Phase phase,) = buyer.getRoundPhase();

// buyer must be in the sell phase

if (phase != BuyerAgent.Phase.Sell) {

revert BuyerAgent.InvalidPhase(phase, BuyerAgent.Phase.Sell);

}

// asset count must not exceed `maxAssetCount`

if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {

revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);

}

// all is well, create the asset & its listing

address asset = address(swanAssetFactory.deploy(_name, _symbol, _desc, msg.sender));

listings[asset] = AssetListing({

createdAt: block.timestamp,

royaltyFee: buyer.royaltyFee(),

price: _price,

seller: msg.sender,

status: AssetStatus.Listed,

buyer: _buyer,

round: round

});

// add this to list of listings for the buyer for this round

assetsPerBuyerRound[_buyer][round].push(asset); // @audit-issue populated with spams

// transfer royalties

transferRoyalties(listings[asset]);

emit AssetListed(msg.sender, asset, _price);

}

https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/swan/Swan.sol#L185

Impact

Genuine Seller will be frontrunned and never will able to list there Assets

Tools Used

Manual Review

Recommendations

I think atleast enforcing some minimum amount of fee towards platform or Buyer could demotivate this type of attack.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

DOS the buyer / Lack of minimal amount of listing price

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.