Starknet Auction
First Flight #26
Beginner FriendlyNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

No Protection Against "Bid Sniping" in bid Function

0xserpent

Summary

There is no mechanism to prevent last-second "bid sniping," where a bidder places a high bid just before the auction ends, preventing other bidders from responding. This results in an unfair advantage for the last bidder.

Vulnerability Details

In the bid function:

assert(time < self.bidding_end.read(), 'Auction ended');
assert(amount > current_bid, 'The bid is not sufficient');

The auction has a hard cutoff time (bidding_end), and there is no extension if a new bid is placed near the end of the auction. This allows a bidder to wait until the last block of the auction to place a bid, which gives them an advantage as no other bids can be placed after the auction ends.

Impact

Bid sniping makes the auction less competitive and could result in lower overall bid values, negatively impacting both the seller (NFT owner) and other participants.

Tools Used

  • Manual code review

Recommendations

  • Implement a time extension mechanism that adds additional time (e.g., 10 minutes) to the auction if a bid is placed within the last few minutes. This allows other bidders a fair chance to respond.

if time > self.bidding_end.read() - EXTENSION_PERIOD {
let extended_time = self.bidding_end.read() + EXTENSION_PERIOD;
self.bidding_end.write(extended_time);
}
Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Appeal created

0xserpent Submitter
9 months ago
bube Lead Judge
9 months ago
bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.