An expensive asset can DoS the subsequent assets purchase which are valid
Summary
In the BuyerAgent::purchase where the entire purchase transaction reverts if an first asset price exceeds the amountPerRound limit. This causes subsequent valid assets (with prices within limits) to be skipped, resulting in missed purchasing opportunities for the buyerAgent even the buyerAgent intents to purchase.
Vulnerability Details
The vulnerability lies in the purchase() , where it checks if spending amount of round must not exceed the amountPerRound if (spendings[round] > amountPerRound). But before that it adds the price of asset to the spending amount of round spendings[round] += price;. If the price of an first asset is more than the amountPerRound, then the subsequent assets (price less than the amountPerRound) are not purchasable by the buyerAgent (who thinks that those subsequent assets are good) because of the following one .
Although these assets can be relisted, but we can't predict that those assets are again sellable to the same buyerAgent. And also amountPerRound can be changed only in withdraw phase but not in buy phase.
Example scenario:
Impact
Valid and affordable assets are not purchased if they appear after an expensive asset and the entire rounds fails without purchase any assets even if the buyerAgent intends to purchase.
Tools Used
Manual Review.
Recommendations
Implement an mechanism to purchase the valid assets which are appeared even after an expensive asset.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.