Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Denial of Service Attack on Buyer Agents Through Asset Listing Manipulation

m4k2xmk

Relevant Context

The Swan protocol allows users to list or relist assets that can be purchased by buyer agents. Each buyer agent has a maximum number of assets they can have listed to them per round (maxAssetCount). The listing process requires paying royalty fees that are calculated as a percentage of the listing price.

Finding Description

The list() function in the Swan contract allows an attacker to perform a denial of service attack on buyer agents by exploiting the asset count limit and royalty fee calculation.

The key issues are:

There is no minimum price requirement for listings
Royalty fees are calculated as a percentage of the price, meaning extremely low prices (1 wei) result in zero fees due to rounding
The maxAssetCount limit is enforced per buyer agent per round
Anyone can list assets to any buyer agent

An attacker can list the maximum number of assets allowed to a buyer agent with a price of 1 wei. Due to percentage-based calculations rounding down to 0, this costs the attacker virtually nothing in fees. Once the maximum number of assets is reached, legitimate sellers cannot list assets to that buyer agent for the entire round.

Impact Explanation

High. This attack can completely prevent legitimate sellers from listing assets to targeted buyer agents, effectively breaking core protocol functionality. The attack can be sustained cheaply across multiple rounds.

Likelihood Explanation

High. The attack is simple to execute, requires minimal capital, and has no significant barriers or risks for the attacker.

Proof of Concept

Attacker identifies a target buyer agent
Attacker determines the maxAssetCount for the current market parameters (e.g. 10)
Attacker calls list() 10 times with:
- Price = 1 wei
- Buyer = target buyer agent address
- Minimal gas costs for name/symbol/description
The buyer agent's asset slot limit is reached for the round
Legitimate sellers trying to list assets to this buyer agent will have their transactions revert due to AssetLimitExceeded
Attacker can repeat for subsequent rounds at minimal cost

Recommendation

Implement one or more of the following protections:

Add a minimum listing price requirement:

function list(...) external {

require(_price >= MINIMUM_LISTING_PRICE, "Price too low");

...

}

Require a minimum fixed fee for listings regardless of price:

function list(...) external {

uint256 minFee = 0.01 ether;

token.transferFrom(msg.sender, address(this), minFee);

...

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

DOS the buyer / Lack of minimal amount of listing price

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.