Root + Impact

The bid increment calculation performs division before multiplication.Because Solidity uses integer division (truncates remainders), precision is lost whenever previousBidAmount is not a multiple of 100. This results in under-calculating the required next bid amount.

Description

• The bid increment calculation performs division before multiplication: (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE). This causes precision loss due to Solidity's integer division, particularly problematic for bid amounts not perfectly divisible by 100. For example, a bid of 99 wei would require only 100 wei as the next bid instead of 103 wei.

  
  

Risk

Likelihood:

• This occurs whenever a new bid amount is not perfectly divisible by 100, since integer division truncates the remainder before applying the increment multiplier.

The vulnerability consistently allows bidders to place valid bids below the intended minimum increment, meaning it can be exploited in any auction with small or uneven bid amounts.

Impact:

• Bidders can place bids with less than the intended 5% increment, potentially exploiting the system to win auctions with smaller increments than designed. This undermines the auction's economic model and could result in sellers receiving less than expected.

• Bidders can consistently place bids that are below the intended minimum increment. This undermines the auction’s economic model by:

  • Allowing bidders to win auctions with smaller-than-expected increments.

  • Reducing seller revenues and platform fees.

  • Creating unfair bidding dynamics where bidders who exploit the flaw gain an advantage over honest bidders.

  
  

Proof of Concept

Recommended Mitigation

Multiply before dividing to preserve precision