Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Incorrect requiredAmount validation

r4ck3

Validation prohibits users of bidding the minPrice to the nft listing.

Description

When listing is created and there are no bids on it yet, user is able to make a bid on that listing that is equal to the minPrice of that listing.

function placeBid(uint256 tokenId) external payable isListed(tokenId) {

Listing storage listing = listings[tokenId];

address previousBidder = bids[tokenId].bidder;

if (previousBidAmount == 0) {

requiredAmount = listing.minPrice;

@> require(msg.value > requiredAmount, "First bid must be > min price");

listing.auctionEnd = block.timestamp + S_AUCTION_EXTENSION_DURATION;

emit AuctionExtended(tokenId, listing.auctionEnd);

Risk

Likelihood:

This happens when there are no bids on the listing and the bidder wants to bid the minPrice to it.

Impact:

Bidder is unable to make a bid, call reverts.

Proof of Concept

Placing this in the test contract and executing will result in a revert and a bidder being unable to make a bid of MIN_PRICE. MIN_PRICE is the amount of eth that is used inside of a listing.minPrice for that nft.

function testBidMinPrice() public {

_mintNFT();

_listNFT();

vm.prank(BIDDER_1);

market.placeBid{value:MIN_PRICE}(TOKEN_ID);

vm.expectRevert();

}

Recommended Mitigation

By simply changing greater than to greater equals will allow bidder to bid the minPrice.

function placeBid(uint256 tokenId) external payable isListed(tokenId) {

Listing storage listing = listings[tokenId];

address previousBidder = bids[tokenId].bidder;

if (previousBidAmount == 0) {

requiredAmount = listing.minPrice;

- require(msg.value > requiredAmount, "First bid must be > min price");

+ require(msg.value >= requiredAmount, "First bid must be >= min price");

listing.auctionEnd = block.timestamp + S_AUCTION_EXTENSION_DURATION;

emit AuctionExtended(tokenId, listing.auctionEnd);

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: First Bid > Instead of >=

First bid validation uses > instead of >=, preventing valid starting bids.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!