Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Unexpected NFT minimum price

febrian

`BidBeastsNFTMarketPlace::placeBid` comparison options make unexpected NFT minimum price

Description

This function is designed to allow bidders or buyers to submit their offers for acquiring the desired NFT, with the minimum bid price set at listing.minPrice—as established by the seller during the listing process.

However, a flaw in the comparison operator—using > (greater than) instead—forces bids to exceed listing.minPrice. This deviates from the protocol's documentation and the README.md file.

if (previousBidAmount == 0) {

requiredAmount = listing.minPrice;

@> require(msg.value > requiredAmount, "First bid must be > min price");

listing.auctionEnd = block.timestamp + S_AUCTION_EXTENSION_DURATION;

emit AuctionExtended(tokenId, listing.auctionEnd);

}

Risk

Likelihood: High

Reason 1: It's practically guaranteed that every prospective buyer will call this function to submit their bids.
Reason 2: The initial bidder or buyer will run into this particular code block.

Impact: Low

Impact 1: While it won't result in any financial losses, it nonetheless strays from the protocol's intended logic outlined in the documentation.
Impact 2: It compels the first bidder to submit an offer exceeding listing.minPrice.

Proof of Concept

This Foundry test returned true which mean expected revert has fulfilled.

function test_placeBid_unexpectedMinPrice() public {

_mintNFT();

_listNFT();

vm.prank(BIDDER_1);

vm.expectRevert("First bid must be > min price");

market.placeBid{value: MIN_PRICE}(TOKEN_ID);

}

Recommended Mitigation

Replace > with >= to allow bids equal to the minimum price.

if (previousBidAmount == 0) {

requiredAmount = listing.minPrice;

- require(msg.value > requiredAmount, "First bid must be > min price");

+ require(msg.value >= requiredAmount, "First bid must be >= min price");

listing.auctionEnd = block.timestamp + S_AUCTION_EXTENSION_DURATION;

emit AuctionExtended(tokenId, listing.auctionEnd);

}

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: First Bid > Instead of >=

First bid validation uses > instead of >=, preventing valid starting bids.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.