Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Auction duration starts only after first bid instead of fixed 3 days

shafeequllahmd

Root + Impact


Description

=> When an NFT is listed, the auction should last exactly 3 days.
=> Currently, the auction timer (auctionEnd) is initialized to 0 and only starts when the first bid is placed. This makes the auction duration dependent on when the first bid arrives, which deviates from the spec.

listings[tokenId] = Listing({
seller: msg.sender,
minPrice: _minPrice,
buyNowPrice: _buyNowPrice,
> auctionEnd: 0, // Timer starts only after the first valid bid.
listed: true
});

Risk

Likelihood:

  1. Every listing will have a dynamic auction duration if bids are delayed.

  2. Auction may end sooner or later than 3 days, depending on bidder behavior.

Impact:

  1. Sellers/bidders may expect a 3-day auction; dynamic duration can confuse users.

  2. Could be exploited to manipulate auction timing if the platform assumes a fixed auction window.

Proof of Concept

List an NFT using listNFT.
Wait for several days before placing the first bid.
Observe that the auction now ends 15 minutes (S_AUCTION_EXTENSION_DURATION) after the first bid, not 3 days.

Recommended Mitigation

- auctionEnd: 0, // Timer starts only after the first valid bid.
+ auctionEnd: block.timestamp + 3 days, // start auction immediately to enforce fixed 3-day duration
Updates

Lead Judging Commences

cryptoghost Lead Judge
25 days ago
cryptoghost Lead Judge 21 days ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts Marketplace: Improper Documentation

Documentation for BidBeasts Marketplace is incomplete or inaccurate, potentially leading to misconfigurations or security misunderstandings.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.