Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Precision Loss in Bid Increment Calculation Leads to Lower Minimum Bids

harshhegde662005

Root + Impact

Description

The intended behavior:

Takes the previous bid amount

Calculates a 5% increase (using S_MIN_BID_INCREMENT_PERCENTAGE = 5)

Requires new bid to be at least this increased amount

Prevents small bid increments and ensures meaningful price discovery

Vulnerability:

The BidBeastsNFTMarket contract contains a precision loss vulnerability in its bid increment calculation. The current implementation performs division before multiplication, leading to truncation of values due to Solidity's integer arithmetic. This allows users to place bids lower than the intended minimum increment amount.

// @audit-issue Division before multiplication causes precision loss

requiredAmount = (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE);

Risk

Bidders can place bids lower than intended minimum increment

Protocol receives less in bid increments than designed

Compounds with each bid, leading to accumulated value loss

Sellers receive less value than protocol design intended

Likelihood:

Medium - Allows bids below intended minimum increment

Impact:

High - Occurs with most bid amounts not divisible by 100

Proof of Concept

The above PoC demonstrates that:

A bid of 1050 wei is accepted when it should require 1055 wei

This represents a 5 wei loss in the minimum increment

The issue compounds with larger numbers and subsequent bids

Affects any bid amount not perfectly divisible by 100

function testBidIncrementPrecisionLoss() public {

// Setup auction with initial bid of 1005 wei

uint256 tokenId = 1;

uint256 initialBid = 1005;

// Place initial bid

auction.placeBid{value: initialBid}(tokenId);

// Calculate next required bid

// Expected: 1055 wei (1005 * 105 / 100)

// Actual: 1050 wei ((1005 / 100) * 105)

// Can bid 5 wei less than intended

auction.placeBid{value: 1050}(tokenId); // This succeeds but should fail

}

Recommended Mitigation

These changes ensure:

No precision loss in bid calculations

Consistent and accurate minimum bid requirements

Better maintainability and clarity of code

Proper test coverage for edge cases

- remove this code

requiredAmount = (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE);

+ add this code

requiredAmount = (previousBidAmount * (100 + S_MIN_BID_INCREMENT_PERCENTAGE)) / 100;

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: Integer Division Precision Loss

Integer division in requiredAmount truncates fractions, allowing bids slightly lower than intended.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!