Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

`Swan::list` function can be unexpectedly revert due to using `==` instead of `<=` to compare length of assetsPerBuyerRound with maxAssetCount param of market.

0x11singh99

Vulnerability Details :

For a buyer in particular round if market parameter is changed in the middle of the round and maxAssetCount is increased. When seller calls list for this buyer in that round this will revert due to wrong check of ==. Even though assetsPerBuyerRound[buyer][round] array length is lesser than maxAssetCount.
So this is unexpected revert behaviour.

167: // asset count must not exceed `maxAssetCount`
if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {
//@audit Using == instead of <= can cause unexpected revert here.
revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);
}

https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/swan/Swan.sol#L167C9-L170C10

Impact

Unexpected revert when for the particular buyer in any round market params changed and maxAssetCount is increased. Then seller will not be able to list in that round for that buyer again due to wrong check.

Recommendation

Use <= as it is used in relist function

167: // asset count must not exceed `maxAssetCount`
- if (getCurrentMarketParameters().maxAssetCount == assetsPerBuyerRound[_buyer][round].length) {
+ if (getCurrentMarketParameters().maxAssetCount <= assetsPerBuyerRound[_buyer][round].length) {
revert AssetLimitExceeded(getCurrentMarketParameters().maxAssetCount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Appeal created

0x11singh99 Submitter
8 months ago
inallhonesty Lead Judge
8 months ago
inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.