Missing Token Allowance Check in Swan::transferRoyalties() Function
Vulnerability Details:
In the Swan contract, there is no check for the token allowance between the seller and Swan when listing an asset.
the list() function in-turn calls transferRoyalties() func which attempts to perform
token.transferFrom(asset.seller, address(this), buyerFee);.if the seller has not provided sufficient allowance for the Swan contract to transfer tokens, the transaction will fail when attempting to transfer the tokens. This can cause inconsistencies. for example for tokens like USDT, txn does not revert even when transfer fails, instead it returns
falsewhich is not captured by the code in question.
Impact
Wasted gas fee for users
Poor user experience
Inconsistent Behavior: Other parts of the codebase include checks for token allowance before transferring tokens, but this important check is missing in the list() function. This inconsistency could lead to confusion and unexpected behavior.
Tools Used
Manual review
Recommendations
Add a check for token allowance before attempting transfers, this will ensure that sellers have approved enough tokens for transfer, preventing unnecessary gas consumption on failed transactions.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.