Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Event is emitted in `Swan::createBuyer` function but it is public so off chain event listener can be flooded with unnncessary events by attacker.

0x11singh99

Since according to know issue SwanAssetFactory and BuyerAgentFactory both have a deploy function that is callable by anyone, while the protocol assumes it to be called by Swan contract. We believe this is not a problem as any outsider call wont change the state of Swan contract, nor it will be caught by any event listeners that listen to Swan.

But here event is emitted and event lister which listen to swan can be flooded with unnecessary events. Since Swan::createBuyer function is callable by everyone and emits a event.

function createBuyer(
string calldata _name,
string calldata _description,
uint96 _feeRoyalty,
uint256 _amountPerRound
) external returns (BuyerAgent) {
BuyerAgent agent = buyerAgentFactory.deploy(_name, _description, _feeRoyalty, _amountPerRound, msg.sender);
emit BuyerCreated(msg.sender, address(agent));
return agent;

https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/swan/Swan.sol#L326C5-L335C22

Recommendation

Make this restricted so that it can be callable by only trusted addresses.

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.