Bid Beasts

Description:

The marketplace contract contains a design flaw where the 5% protocol fee is deducted from the seller's proceeds rather than being paid additionally by the buyer. This creates a situation where sellers receive less than their specified minimum price, violating the fundamental guarantee that minPrice represents the minimum amount the seller is willing to accept. When a seller sets minPrice = buyNowPrice = 0.01 ETH, they expect to receive exactly 0.01 ETH, but the current implementation only pays them 0.0095 ETH (95% of the sale price) after deducting the protocol fee.

Attack path:

1. Seller lists an NFT with minPrice = buyNowPrice = 0.01 ETH, expecting to receive exactly this amount

2. Buyer purchases the NFT for 0.01 ETH via placeBid() or waits for auction settlement

3. Protocol calculates fee: 0.01 ETH * 5% = 0.0005 ETH

4. Seller receives: 0.01 ETH - 0.0005 ETH = 0.0095 ETH

5. Seller has been paid less than their stated minimum acceptable price

6. This violation occurs on every sale in the marketplace, systematically underpaying all sellers

Impact:

Sellers consistently receive less than their minimum acceptable price, violating the core promise of the minPrice parameter

The S_MIN_NFT_PRICE constant of 0.01 ETH becomes meaningless since sellers actually receive only 0.0095 ETH minimum

Recommended Mitigation:

Modify the fee structure so that buyers pay the marketplace fee in addition to the seller's asking price, ensuring sellers receive their full minimum price