Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

`BidBeastsNFTMarket:placeBid` function, initial bid logic, incorrectly requires the buyer's bid amount.

minos

BidBeastsNFTMarket:placeBid function, initial bid logic, incorrectly requires the buyer's bid amount.

Description

  • Normally, when processing a buyer placing a bid, the placeBid function evaluates the buyer's bid amount.

  • From the user's perspective, the first bid amount should be not less than the minimum bid, and subsequent bids should be higher than the previous bid.

  • However, within this function, it incorrectly restricts the first bid must be greater than the minimum bid, which deviates from common user expectations.

  • Line 151 of BidBeastsNFTMarketPlace.sol

function placeBid(uint256 tokenId) external payable isListed(tokenId) {
// ... original code
if (previousBidAmount == 0) {
requiredAmount = listing.minPrice;
@> require(msg.value > requiredAmount, "First bid must be > min price");
listing.auctionEnd = block.timestamp + S_AUCTION_EXTENSION_DURATION;
emit AuctionExtended(tokenId, listing.auctionEnd);
} else {
requiredAmount = (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE);
require(msg.value >= requiredAmount, "Bid not high enough");
uint256 timeLeft = 0;
if (listing.auctionEnd > block.timestamp) {
timeLeft = listing.auctionEnd - block.timestamp;
}
if (timeLeft < S_AUCTION_EXTENSION_DURATION) {
listing.auctionEnd = listing.auctionEnd + S_AUCTION_EXTENSION_DURATION;
emit AuctionExtended(tokenId, listing.auctionEnd);
}
}
// ... original code
}

Risk

Likelihood:

  • This validation logic is triggered every time a buyer places a bid that does not constitute an immediate purchase.
    Impact:

  • While there is no direct fund loss (it may cause the buyer to pay a slightly higher amount), it can cause confusion and a sense of deception for the buyer, potentially discouraging some users who originally intended to participate in the auction.

Proof of Concept

  • None

Recommended Mitigation

function placeBid(uint256 tokenId) external payable isListed(tokenId) {
// ... original code
if (previousBidAmount == 0) {
requiredAmount = listing.minPrice;
- require(msg.value > requiredAmount, "First bid must be > min price");
+ require(msg.value >= requiredAmount, "First bid must be >= min price");
listing.auctionEnd = block.timestamp + S_AUCTION_EXTENSION_DURATION;
emit AuctionExtended(tokenId, listing.auctionEnd);
} else {
requiredAmount = (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE);
require(msg.value >= requiredAmount, "Bid not high enough");
uint256 timeLeft = 0;
if (listing.auctionEnd > block.timestamp) {
timeLeft = listing.auctionEnd - block.timestamp;
}
if (timeLeft < S_AUCTION_EXTENSION_DURATION) {
listing.auctionEnd = listing.auctionEnd + S_AUCTION_EXTENSION_DURATION;
emit AuctionExtended(tokenId, listing.auctionEnd);
}
}
// ... original code
}
Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts Marketplace: First Bid > Instead of >=

First bid validation uses > instead of >=, preventing valid starting bids.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!