Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Integer Division Precision Loss in Bid Calculation

objectplayer

Root + Impact

Description

  • The normal behavior of the bidding system should ensure that each new bid is at least 5% higher than the previous bid to prevent sniping with minimal bid increases.

  • The specific issue is that the calculation requiredAmount = (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE) performs integer division before multiplication, causing precision loss that allows bids to be placed below the intended minimum increment.

} else {
requiredAmount = (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE);
...........
}

Risk

Likelihood: High

  • This issue will occur on every bid where the previous bid amount is not a multiple of 100.

  • The precision loss is deterministic and affects all auctions with non-round bid amounts.

Impact: Medium

  • Bidders can place bids below the intended minimum increment, potentially allowing bid sniping with smaller amounts than intended.

  • The economic protection mechanism designed to prevent minimal-increase bidding is undermined.

  • For smaller bid amounts, the percentage loss can be significant.

Proof of Concept

Consider the following scenario:

// Example with previousBidAmount = 199 wei
// S_MIN_BID_INCREMENT_PERCENTAGE = 5
// Current calculation:
requiredAmount = (199 / 100) * (100 + 5)
= 1 * 105
= 105 wei
// Expected calculation (with proper precision):
requiredAmount = 199 * (100 + 5) / 100
= 199 * 105 / 100
= 208.95 wei (rounded to 208 wei in integer math)
// The difference is 208 - 105 = 103 wei (approximately 49% less than expected)

This calculation error allows bidders to place bids significantly lower than the intended 5% increase, particularly for non-round previous bid amounts. The higher the remainder of the division by 100, the larger the percentage error.

Consider more examples:

  • For a previous bid of 199 wei, the required amount should be 208 wei, but it's calculated as 105 wei

  • For a previous bid of 999 wei, the required amount should be 1048 wei, but it's calculated as 945 wei

This vulnerability becomes particularly impactful for lower bid amounts, where the percentage error can be substantial.

Recommended Mitigation

- requiredAmount = (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE);
+ requiredAmount = (previousBidAmount * (100 + S_MIN_BID_INCREMENT_PERCENTAGE)) / 100;

The mitigation changes the order of operations to perform the multiplication before the division, which preserves precision in the calculation. This ensures that the minimum bid increment correctly reflects the intended percentage increase.

This change follows the mathematical principle that when calculating percentages, you should multiply by the percentage factor first and then divide, rather than dividing first which loses precision due to integer division truncating any decimal portions.

By fixing this calculation, the auction mechanism will properly enforce the minimum bid increment policy as intended, preventing bid sniping with artificially low increments and ensuring fair auction dynamics for all participants.

Updates

Lead Judging Commences

cryptoghost Lead Judge 21 days ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts Marketplace: Integer Division Precision Loss

Integer division in requiredAmount truncates fractions, allowing bids slightly lower than intended.

cryptoghost Lead Judge 21 days ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts Marketplace: Integer Division Precision Loss

Integer division in requiredAmount truncates fractions, allowing bids slightly lower than intended.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.