Swan.sol allows fee bypass through price overflow in listing and royalty calculations.
The issue is the list()
function where there is no check for price overflow when:
Storing the price in the AssetListing
struct
Calculating royalty fees: uint256 buyerFee = (asset.price * asset.royaltyFee) / 100;
Impact:
If price is very large, the multiplication price * royaltyFee
could overflow
This could lead to incorrect fee calculations and token transfers
In extreme cases, could allow bypassing fee payments entirely
Proof of Concept:
Call list()
with a price > uint256.max/2
The royalty calculation will overflow
Actual fees paid will be much lower than intended
Why It's Dangerous:
Direct financial impact on protocol revenue
Affects every listing with large prices
Can be exploited systematically
Undermines core protocol economics
Connected to critical token transfer logic
Malicious users can manipulate fee calculations by using large prices that cause arithmetic overflow
The protocol and buyer agents could receive much lower fees than intended
Manual Review
Ensures fee calculations cannot overflow and maintains protocol economics integrity.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.