Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: low
Invalid

`BidBeastsNFTMarket:placeBid` function is vulnerable to front-running attacks among bidders.

minos

BidBeastsNFTMarket:placeBid function is vulnerable to front-running attacks among bidders.

Description

  • Under normal circumstances, one buyer places a bid, followed by subsequent buyers placing their bids in sequence.

  • However, if a malicious buyer uses MEV to monitor bid information, they can quickly submit a front-running bid transaction as soon as a buyer sends a bid transaction, causing the previous bidder's bid to fail.

  • BidBeastsNFTMarketPlace.sol is as follows:

function placeBid(uint256 tokenId) external payable isListed(tokenId) {
// ...Original code
if (previousBidAmount == 0) {
requiredAmount = listing.minPrice;
require(msg.value > requiredAmount, "First bid must be > min price");
listing.auctionEnd = block.timestamp + S_AUCTION_EXTENSION_DURATION;
emit AuctionExtended(tokenId, listing.auctionEnd);
} else {
requiredAmount = (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE);
@> require(msg.value >= requiredAmount, "Bid not high enough");
uint256 timeLeft = 0;
if (listing.auctionEnd > block.timestamp) {
timeLeft = listing.auctionEnd - block.timestamp;
}
if (timeLeft < S_AUCTION_EXTENSION_DURATION) {
listing.auctionEnd = listing.auctionEnd + S_AUCTION_EXTENSION_DURATION;
emit AuctionExtended(tokenId, listing.auctionEnd);
}
}
// ...Original code
}

Risk

Likelihood:

  • Every time a buyer places a bid, they face the risk of interference from malicious bidders.
    Impact:

  • Although there is no direct financial loss, this behavior can severely disrupt ordinary bidders' enthusiasm. It may cause regular users to lose confidence in the protocol.

Proof of Concept

  • None

Recommended Mitigation

  • Using a commit-reveal scheme can effectively reduce interference from malicious bidders.

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

minos Submitter
2 months ago
cryptoghost Lead Judge
2 months ago
cryptoghost Lead Judge 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!