Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

malicious buyer can grief the asset seller

n1kh11l

Summary

A buyer purchases a listed asset from a seller. The buyer is rewarded with a royalty fee taken from the asset seller. However, a vulnerability allows the buyer to charge the full asset price amount from the seller

Vulnerability Details

the fee that the buyer receives in swan.sol is calculated as

function transferRoyalties(AssetListing storage asset) internal {

// calculate fees

uint256 buyerFee = (asset.price * asset.royaltyFee) / 100;///@audit

uint256 driaFee = (buyerFee * getCurrentMarketParameters().platformFee) / 100;

// first, Swan receives the entire fee from seller

// this allows only one approval from the seller's side

token.transferFrom(asset.seller, address(this), buyerFee);

// send the buyer's portion to them

token.transfer(asset.buyer, buyerFee - driaFee);

// then it sends the remaining to Swan owner

token.transfer(owner(), driaFee);

}

now lets do a calculation

assetprice= 570

asset royaltfee= 100

buyerFee = (570 * 100) / 100 = 570

As we can see, when the royalty fee is set to 100, it will consume the entire asset price as a fee. You may ask why the protocol allows that, but the protocol actually lets the buyer set the fee anywhere between 1 and 100

function setFeeRoyalty(uint96 _fee) public onlyOwner {

_checkRoundPhase(Phase.Withdraw);

if (_fee < 1 || _fee > 100) {

revert InvalidFee(_fee);

}

royaltyFee = _fee;

in the buyeragent.sol the owner is set as the buyer (confirmed by sponsors)

https://discord.com/channels/1127263608246636635/1299335387898183710/1301261211450736640

IMPACT

loss of funds for asset seller

root cause

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/Swan.sol#L258C4-L272C6

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/BuyerAgent.sol#L380-L386

Tools Used

none

Recommendations

Do not allow the buyer to set the royalty fee

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.