Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Bidders can settle Auctions prematurely before the deadline of 3 days hit

ntdegenerate

Root + Impact

Bidders can settle Auctions prematurely before the deadline of 3 days hit

Description

When settling an auction with BidBeastsNFTMarket:settleAuction, there is no check to see if the deadline of 3 days have passed, instead it checks if block.timestamp >= listing.auctionEnd and this is not fool-proof as it is possible that listing.auctionEnd is less than 3 days, because it is only incremented by
S_AUCTION_EXTENSION_DURATION which is only 15 minutes

function settleAuction(uint256 tokenId) external isListed(tokenId) {

Listing storage listing = listings[tokenId];

require(listing.auctionEnd > 0, "Auction has not started (no bids)");

@> require(block.timestamp >= listing.auctionEnd, "Auction has not ended");

require(bids[tokenId].amount >= listing.minPrice, "Highest bid did not meet min price");

_executeSale(tokenId);

}

https://github.com/CodeHawks-Contests/2025-09-bid-beasts/blob/449341c55a57d3f078d1250051a7b34625d3aa04/src/BidBeastsNFTMarketPlace.sol#L185

Risk

Likelihood:

Reason 1 : This will occur whenever the current Listing.auctionEnd has passed, and there are no new bids placed

Impact:

Auction can be ended prematurely
It makes the game unfair to latter users as early users can close the auction

Proof of Concept

The code below shows a bidder settling an auction 15 minutes after the auction started
Place the following code in BidBeastsNFTMarketTest.t.sol

function testCanCloseAuctionPrematurely() public warmMarket {

vm.prank(BIDDER_1);

market.placeBid{value: MIN_PRICE + 0.5 ether}(TOKEN_ID);

vm.warp(block.timestamp + market.S_AUCTION_EXTENSION_DURATION() + 1);

vm.prank(BIDDER_1);

vm.expectEmit();

emit AuctionSettled(TOKEN_ID, BIDDER_1, SELLER, MIN_PRICE + 0.5 ether);

market.settleAuction(TOKEN_ID);

assertEq(nft.ownerOf(TOKEN_ID), BIDDER_1);

}

Recommended Mitigation

Add a check to see if 3days have passed after the auction started

function settleAuction(uint256 tokenId) external isListed(tokenId) {

Listing storage listing = listings[tokenId];

require(listing.auctionEnd > 0, "Auction has not started (no bids)");

- require(block.timestamp >= listing.auctionEnd, "Auction has not ended");

+ require(block.timestamp > listing.auctionEnd && listing.auctionEnd == 3 days)

require(bids[tokenId].amount >= listing.minPrice, "Highest bid did not meet min price");

_executeSale(tokenId);

}

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: Improper Documentation

Documentation for BidBeasts Marketplace is incomplete or inaccurate, potentially leading to misconfigurations or security misunderstandings.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!