Submission Details
Severity:
Loss of funds for seller if buyer doesn't purchase the asser
Summary
By design the seller first creates the asset to be sold by calling Swan.list() and then transfers the royalty fee to the buyer beforehand. While this seems to be a design choice, it could be problematic if the seller doesn't purchase the asset. Since there is no guarantees that the asset will be sold that means buyer can collect fees all the time without buying the listed asset. This will result in unnecessary loses for the buyer.
function list(...) external {
...
// transfer royalties
@> transferRoyalties(listings[_asset]);
...
}
function transferRoyalties(AssetListing storage asset) internal {
// calculate fees
uint256 buyerFee = (asset.price * asset.royaltyFee) / 100;
uint256 driaFee = (buyerFee * getCurrentMarketParameters().platformFee) / 100;
...
// send the buyer's portion to them
token.transfer(asset.buyer, buyerFee - driaFee);
}
Tools Used
Manual
Recommendations
I would suggest to lock the fees of the buyers in the Swan contract until they don't purchase the asset.
Prize pool breakdown
Total prize
21,000 USDC
nSLOC
1,03420 USDC / LOC
20,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.