Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: high

Invalid

takeHighestBid Allows Seller to End Auction Prematurely

_okchev

Root + Impact

Description

Normal behavior:
According to the documentation, auctions are designed to last exactly 3 days. After the auction ends, anyone can call endAuction(tokenId) to finalize the process. Sellers only initiate auctions through listNFT and receive payment if the auction is successful.

Issue:
The code introduces a function takeHighestBid that allows the seller to accept the current highest bid before the auction end time. This contradicts the documentation and undermines the fairness of the bidding process. Bidders expect the auction to last for the full duration, giving them an opportunity to place higher bids.

// Root cause: seller can bypass the 3-day deadline

function takeHighestBid(uint256 tokenId) external {

Listing storage listing = listings[tokenId];

require(msg.sender == listing.seller, "Not seller");

_executeSale(tokenId); @> executes settlement regardless of auctionEnd

}

Risk

Likelihood:

Always possible when seller chooses to end the auction early.
No protections exist in code to prevent premature termination.

Impact:

Buyers lose the guaranteed 3-day bidding window described in the documentation.
The marketplace may lose credibility if participants realize auctions can be closed arbitrarily.

Proof of Concept

Seller lists an NFT with minPrice 1 ETH.
Bidder A places 1.1 ETH bid.
Seller immediately calls takeHighestBid and ends the auction.
Bidder B never gets the chance to place a higher bid before the documented 3-day duration.

Recommended Mitigation

Decide whether takeHighestBid is an intended feature or not.

- function takeHighestBid(uint256 tokenId) external {

- Listing storage listing = listings[tokenId];

- require(msg.sender == listing.seller, "Not seller");

- _executeSale(tokenId);

- }

+ // Option 1: Remove takeHighestBid entirely to align with documentation.

+ // Option 2: If early acceptance is intended,

+ // explicitly document this behavior:

+ // "Sellers may call takeHighestBid(tokenId) at any time

+ // to accept the current highest bid before the 3-day deadline."

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!