Malicious user can list assets with 0 or dust price to reach the maxAssetCount limit, and prevent other sellers from listing under that buyer
Summary
This allows a malicious seller to perform a griefing attack by listing multiple assets at a price of zero or a negligible amount. This enables them to reach the maxAssetCount limit set for a buyer, effectively blocking other legitimate sellers from listing their assets under that buyer for the current round.
Vulnerability Details
There is a maxAssetCount that can be listed under a buyer for a particular round:
A malicious seller can list many assets with an attached price of 0 or dust amount, just to reach the maxAssetCount limit of a buyer, and prevent other sellers from listing under that buyer.
This is a griefing attack
Impact
This enables malicious sellers to obstruct legitimate market activity by filling a buyer’s asset limit with low-value or zero-priced listings, effectively blocking other sellers from participating
Tools Used
Manual Review
Recommendations
There should be a minimum price that an asset should be listed
Lead Judging Commences
DOS the buyer / Lack of minimal amount of listing price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.