Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: low

Invalid

Lack of an Automated Settlement or Fallback Mechanism Can Lead to Permanent Freezing of Assets

reidnermarques123

[M-1] Lack of an Automated Settlement or Fallback Mechanism Can Lead to Permanent Freezing of Assets

Description

The settleAuction function is responsible for finalizing a successful auction by transferring the NFT to the winner and the funds to the seller. However, the contract's design critically relies on a manual call to this function. If both the seller and the winning bidder neglect to call this function for any reason, the auction will never be finalized. This results in a permanent freeze of the assets involved.

Risk

Likelihood: Low While this scenario doesn't require a malicious attacker, it relies on user inaction or human error.

Impact: High. The consequence is the loss of user assets

Proof of Concept

The following test demonstrates the vulnerability.

function test_exploit_settleAuction_abandoned() public {

_mintNFT();

_listNFT();

// BIDDER_1 makes a valid bid

uint256 bidValue = 2 ether;

vm.prank(BIDDER_1);

market.placeBid{value: bidValue}(TOKEN_ID);

// Warp time to after the auction has ended

vm.warp(block.timestamp + market.S_AUCTION_EXTENSION_DURATION() + 1);

// No participant calls settleAuction

// → NFT remains locked in the contract

// → Seller does not receive the funds

// → Buyer does not receive the NFT

BidBeastsNFTMarket.Listing memory listing = market.getListing(TOKEN_ID);

assertTrue(listing.listed, "The NFT should remain listed as settleAuction was not called");

assertEq(nft.ownerOf(TOKEN_ID), address(market), "The NFT should still be held by the marketplace contract");

assertEq(BIDDER_1.balance, STARTING_BALANCE - bidValue, "The bidder's funds should remain locked");

assertEq(SELLER.balance, STARTING_BALANCE, "The seller should not have received the funds");

}

Recommended Mitigation

To prevent assets from being permanently frozen, a fallback mechanism should be implemented that allows either the seller or the highest bidder to reclaim their respective assets after a pre-defined grace period.

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!