Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Malicious User Can Fill Up Buyers MaxAssetCount For A Round By Listing Useless Assets For Zero Prices Or Extremely Tiny Prices.

j1v9

Summary

Malicious User Can Fill Up Buyers MaxAssetCount For A Round By Listing Useless Assets For Zero Prices. This basically renders all available assets to the user for purchase for a particular round useless.

Vulnerability Details

When a user is listing assets to a buyer, we dont check that the price of the listing is not zero. This allows a user to fill up the buyers max assets that can be listed to them for that round with little to no cost.

inside the list function you can see there is no check for a zero amount and even if there is, there is no check for a minimum amount to list to a buyer that the can can specify. This would allow malicious users to list to the buyers with little to no cost. Here is the purchase funciton below

function relist(address _asset, address _buyer, uint256 _price) external {
AssetListing storage asset = listings[_asset];
// only the seller can relist the asset
if (asset.seller != msg.sender) {
revert Unauthorized(msg.sender);
}
// asset must be listed
if (asset.status != AssetStatus.Listed) {
revert InvalidStatus(asset.status, AssetStatus.Listed);
}
// relist can only happen after the round of its listing has ended
// we check this via the old buyer, that is the existing asset.buyer
//
// note that asset is unlisted here, but is not bought at all
//
// perhaps it suffices to check `==` here, since buyer round
// is changed incrementially
(uint256 oldRound,,) = BuyerAgent(asset.buyer).getRoundPhase();
if (oldRound <= asset.round) {
revert RoundNotFinished(_asset, asset.round);
}
// now we move on to the new buyer
BuyerAgent buyer = BuyerAgent(_buyer);
(uint256 round, BuyerAgent.Phase phase,) = buyer.getRoundPhase();
// buyer must be in sell phase
if (phase != BuyerAgent.Phase.Sell) {
revert BuyerAgent.InvalidPhase(phase, BuyerAgent.Phase.Sell);
}
// buyer must not have more than `maxAssetCount` many assets
uint256 count = assetsPerBuyerRound[_buyer][round].length;
if (count >= getCurrentMarketParameters().maxAssetCount) {
revert AssetLimitExceeded(count);
}
// create listing
listings[_asset] = AssetListing({
createdAt: block.timestamp,
royaltyFee: buyer.royaltyFee(),
price: _price,
seller: msg.sender,
status: AssetStatus.Listed,
buyer: _buyer,
round: round
});
// add this to list of listings for the buyer for this round
assetsPerBuyerRound[_buyer][round].push(_asset);
// transfer royalties
transferRoyalties(listings[_asset]);
emit AssetRelisted(msg.sender, _buyer, _asset, _price);
}

The assets available to the buyer would be filled up with useless assets without having any control over the assets listed to him.

Impact

The malicious user ends up filling up the buyers assets available to purchase with useless assets with little to zero amounts. The buyer doesn't end up having valuable assets to purchase for that round.

Recommendations

Allowing the buyer to set a minimum amount of price for listing would encourage listers to put up meaningful assets and discourage malicious users from filling up the maxAssetCount for little to no cost.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

DOS the buyer / Lack of minimal amount of listing price

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.