Lack of functionality of Bid Tracking in Auction Contract
Summary
The Auction contract currently only records the latest bid by storing a single bidder in state.lastBidder and updating a cumulative bid amount in bidAmounts. This approach overwrites previous bids, failing to maintain a complete record of all bids as expected by the IAuction interface, which requires tracking each bid individually.
Vulnerability Details
-
Current Implementation:
In thebuyfunction, the contract updates bid-related state variables as follows:bidAmounts[msg.sender] += amount;state.lastBidTime = block.timestamp;state.lastBidder = msg.sender;This logic only retains the details of the most recent bid by any bidder. There is no mechanism to store each bid separately.
-
Expected Behavior:
The IAuction interface suggests the existence of a structure like:struct Bid {address bidder;uint256 amount;}This structure should be used to store every bid made during the auction. However, the current implementation neglects this, leading to the loss of bid history.
Impact
Overwriting bid data means that previous bids are lost, which could be crucial for auditability, transparency, and handling disputes.
Tools Used
Manual Review
Recommendations
Implement a data structure to store each bid individually. For example, create a dynamic array of Bid structs to record every bid, ensuring that all bid information is preserved. Adjust the buy function to push each new bid into this array, and update the IAuction interface to reflect this bid tracking mechanism.
Example code fix:
This change ensures that all bids are recorded, providing a complete and transparent bid history for the auction.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.