Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

First Bid Strictly Greater Than Minimum Price (disallows equality)

kavindalw

Root + Impact

Description

Normal behavior: The first valid bid should be allowed to meet or exceed the listing minimum price.
Issue: The contract enforces msg.value > listing.minPrice for the first bid, which disallows bids that are exactly equal to the minimum price and prevents legitimate user actions.

if (previousBidAmount == 0) {

requiredAmount = listing.minPrice;

@> require(msg.value > requiredAmount, "First bid must be > min price");

listing.auctionEnd = block.timestamp + S_AUCTION_EXTENSION_DURATION;

emit AuctionExtended(tokenId, listing.auctionEnd);

} else {

requiredAmount = (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE);

require(msg.value >= requiredAmount, "Bid not high enough");

uint256 timeLeft = 0;

if (listing.auctionEnd > block.timestamp) {

timeLeft = listing.auctionEnd - block.timestamp;

}

if (timeLeft < S_AUCTION_EXTENSION_DURATION) {

listing.auctionEnd = listing.auctionEnd + S_AUCTION_EXTENSION_DURATION;

emit AuctionExtended(tokenId, listing.auctionEnd);

}

Risk

Likelihood:

A bidder places the first bid exactly equal to minPrice (common when minimum is shown and user bids that exact amount).
Frontend uses the displayed minimum price to construct transactions.

Impact:

Legitimate bids at the displayed min price are rejected, causing User Experience friction and possible financial opportunity loss.
Could lead to test failures and wrong assumptions in off-chain tooling.

Proof of Concept

// Forge-style PoC

uint256 tokenId = nft.mint(address(this));

market.listNFT(tokenId, 0.01 ether, 0);

vm.deal(bidder, 0.01 ether);

vm.prank(bidder);

vm.expectRevert("First bid must be > min price");

market.placeBid{value: 0.01 ether}(tokenId);

Explanation:
This PoC demonstrates that placing a first bid equal to the minimum price is rejected, even though logically it should be valid. It shows the functional problem in a testable way.

Recommended Mitigation

- require(msg.value > listing.minPrice, "First bid must be > min price");

+ require(msg.value >= listing.minPrice, "First bid must be >= min price");

Explanation:

Changing > to >= allows bids exactly equal to the minimum price while preserving the intended logic.

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: First Bid > Instead of >=

First bid validation uses > instead of >=, preventing valid starting bids.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!