Dria

Summary

An attacker will continuosly list for the buyer agents with zero _price. As their is no royaltyFee for listing if priceis zero. which allows the attacker to target a particular buyer and list max possible assets to the buyer in a round. Because of which no other genuine lister can list the buyer. Same attacker can target as many buyer as they want.

Vulnerability Details

Code:

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/Swan.sol#L157

Currently in the list() , the lister should not have to pay any buyerFee, driaFee if the _priceis zero while listing. Currently the fee is calculated and transferred in the transferRoyalties() function after listing the asset.

Considering the swan protocol will deploy on EVM L2 chains like base, the gas fee is near to negligible. So the attack is economically fisible.

Scenario:

Suppose Alice has buyerAgent contract, Bob is lister, we also have other listeres like Harry, Alok

1. Alice will create buyer agent and he is in sell phase now to accept listings

2. Bob who is malicious actor will list maxAssetCount for that buyerAgent in that round. Due to which other Genuine listers cannot list Alice. attacker can eventually create monopoly by spamming listing

3. Genuine listers will be impacted due to this and they can't participate anymore

Impact

Genuine lister's will be highly impacted and can't able to participate to list for buyer Agents

Tools Used

Manual Inspection

Recommendations

• To fix this issue we have to add a check, which essentially reverts if a lister tries to list with zero _price

• Also add a max Listing count for a particular seller, buyer and round.