Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

"Auction deadline" not implemented correctly in `BidBeastsNFTMarketPlace.sol`

mustby

"Auction deadline" not implemented correctly in BidBeastsNFTMarketPlace.sol

Description: The README.md states that the contract supports:

- **Auction deadline** of exactly 3 days.

There is no deadline being implemented. After an intial bid is placed, the auction gets set on a 15 minute timer. This disrupts the intended functionality and use of the protocol.

Risk:

IMPACT: LOW

  • There are no funds at risk, but the protocol is designed to have auctions last 3 days, not 15 min.

LIKELIHOOD: HIGH

  • This will happen on every single NFT listed for sale.

Proof of Concept: Insert this test into BidBeastsMarketPlaceTest.t.sol:

function test_checkAuctionTimeRemainingAfterFirstBid() public {
_mintNFT();
_listNFT();
vm.prank(BIDDER_1);
market.placeBid{value: BIGGER_BID}(TOKEN_ID);
uint256 auctionEnd = market.getListing(TOKEN_ID).auctionEnd;
uint256 timeRemaining = auctionEnd - block.timestamp;
console.log("Time Remaining after first bid:", timeRemaining);
assertEq(auctionEnd, block.timestamp + market.S_AUCTION_EXTENSION_DURATION(), "Auction end time is incorrect");
assertEq(timeRemaining, market.S_AUCTION_EXTENSION_DURATION(), "Time remaining is incorrect");
}

The result of the console.log will show that there are 900 seconds remaining in the auction, not the 3 days that were promised (in the README.md) once an auction began.

Recommended Mitigation: Add the following code to BidBeastsNFTMarketPlace.sol:

// Events //
+ event AuctionStarted(uint256 tokenId, uint256 auctionEnd);
.
.
.
// Constant Variables //
+ uint256 constant public S_AUCTION_DURATION = 3 days; // New constant for 3-day duration

Now, inside of the BidBeastsNFTMarketPlace::placeBid() function, edit the logic to set a 3 day duration rather than 15 minutes.

I would also now add a new event of AuctionStarted and replace it where we first see AuctionExtended.

// --- Regular Bidding Logic ---
uint256 requiredAmount;
if (previousBidAmount == 0) {
requiredAmount = listing.minPrice;
require(msg.value > requiredAmount, "First bid must be > min price");
+ listing.auctionEnd = block.timestamp + S_AUCTION_DURATION; // Set to 3 days
- listing.auctionEnd = block.timestamp + S_AUCTION_EXTENSION_DURATION; // Set to 3 days
+ emit AuctionStarted(tokenId, listing.auctionEnd);
- emit AuctionExtended(tokenId, listing.auctionEnd);
} else {
requiredAmount = (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE);
require(msg.value >= requiredAmount, "Bid not high enough");
uint256 timeLeft = listing.auctionEnd > block.timestamp ? listing.auctionEnd - block.timestamp : 0;
if (timeLeft < S_AUCTION_EXTENSION_DURATION) {
listing.auctionEnd = block.timestamp + S_AUCTION_EXTENSION_DURATION; // Extend by 15 minutes
emit AuctionExtended(tokenId, listing.auctionEnd);
}
}
Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts Marketplace: Improper Documentation

Documentation for BidBeasts Marketplace is incomplete or inaccurate, potentially leading to misconfigurations or security misunderstandings.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!