Legitimate listings can be denied by repeated fake listings
Summary
Buyers can have a fixed number of available listings for them every round. Any user can pose as a seller and make forced low value listings to the buyer to prevent any actual listings from being available to them.
Vulnerability Details
When a user creates a listing by calling the list function in the swan.sol contract, the listing is stored in the assetsPerBuyerRound mapping. This stores listings for every (buyer,round) key pair. This can also hold a fixed maximum number of items.
So if a user comes and creates low price listings for this buyer and fills up their assetsPerBuyerRound for that round, the buyer cannot actually buy anything that round. If the creator sets the price low, they will pay very little royalties, so the cost of attack will be very low.
Impact
Say alice wants to buy an NFT and bob wants to sell it to her. Bob wants to create a listing for alice this round. However, as soon as the round starts, Charlie creates 50 listings with price of 1 wei. This way they pay 0 wei for royalty fees. Alice's assetsPerBuyerRound[alice][roundId] gets filled up to the max of 50, and then Bob cannot list the item to Alice anymore.
This way, buyer agents can get bricked by any user.
Tools Used
Manual Review
Recommendations
Consider either allowing any number of listings stored in a mapping so that it does not need to be iterated over, or only allowing whitelisted sellers.
Lead Judging Commences
DOS the buyer / Lack of minimal amount of listing price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.