Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Auction Duration Misconfigured Leads to Premature Auction Endings

fawarano

Auction Duration Misconfigured Leads to Premature Auction Endings

Description

BidBeastsNFTMarket::S_AUCTION_EXTENSION_DURATIONis initialized to 15 minutesand applies this value to auctionEnd when the first bid is placed.

According to the project documentation, the auction should last exactly 3 days, after which anyone can call endAuction(tokenId) to finalize the sale. No auction extension mechanism was mentioned.

This means that instead of running for 3 days, auctions end after 15 minutes, and can even be extended by another 15 minutes when bids arrive close to the deadline. This behavior contradicts the specification and creates confusion for users.

@> uint256 public constant S_AUCTION_EXTENSION_DURATION = 15 minutes;

Risk

Likelihood:

  • This issue will occur whenever a new auction is created, since the code hard-codes an extension mechanism (15 minutes) instead of enforcing the documented 3 days deadline.

  • The problem manifests systematically during every auction lifecycle, because the auction end time is extended with each new qualifying bid.

Impact:

  • Auctions do not respect the intended fixed 3-day duration, breaking the marketplace’s expected rules and user trust.

  • Malicious or strategic bidders can artificially prolong auctions indefinitely, preventing finalization and potentially locking seller funds/NFTs longer than intended.

Proof of Concept

This allows repeated extensions with each new bid when calling BidBeastsNFTMarket::placeBid
For example, an auction meant to last 3 days could be extended indefinitely:

  1. Alice lists her NFT => auctionEnd = block.timestamp + 3 days.

  2. Bob bids shortly before expiration =>auctionEnd extended by +15 minutes.

  3. Another bidder repeats near every new deadline =>auction never closes.

if (timeLeft < S_AUCTION_EXTENSION_DURATION) {
listing.auctionEnd = listing.auctionEnd + S_AUCTION_EXTENSION_DURATION;
emit AuctionExtended(tokenId, listing.auctionEnd);
}

Recommended Mitigation

  1. Replace the hard-coded S_AUCTION_EXTENSION_DURATION = 15 minutes with the intended fixed auction deadline (e.g., 3 days).

  2. Remove the dynamic extension logic tied to new bids (auctionEnd = auctionEnd + S_AUCTION_EXTENSION_DURATION).

  3. Enforce a strict auctionEnd = block.timestamp + 3 days when the auction is created, with no modifications thereafter.

  4. Update the NatSpec/documentation to match the implemented logic (or vice versa), ensuring consistency.

- uint256 public constant S_AUCTION_EXTENSION_DURATION = 15 minutes;
+ uint256 public constant AUCTION_DURATION = 3 days;

Now, on BidBeastsNFTMarket::placeBid function you should make this changes:

if (previousBidAmount == 0) {
requiredAmount = listing.minPrice;
require(msg.value > requiredAmount, "First bid must be > min price");
- listing.auctionEnd = block.timestamp + S_AUCTION_EXTENSION_DURATION;
- emit AuctionExtended(tokenId, listing.auctionEnd);
+ listing.auctionEnd = block.timestamp + AUCTION_DURATION;
+ emit AuctionStarted(tokenId, listing.auctionEnd);
} else {
requiredAmount = (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE);
require(msg.value >= requiredAmount, "Bid not high enough");
- uint256 timeLeft = 0;
- if (listing.auctionEnd > block.timestamp) {
- timeLeft = listing.auctionEnd - block.timestamp;
- }
- if (timeLeft < S_AUCTION_EXTENSION_DURATION) {
- listing.auctionEnd = listing.auctionEnd + S_AUCTION_EXTENSION_DURATION;
- emit AuctionExtended(tokenId, listing.auctionEnd);
- }
Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts Marketplace: Improper Documentation

Documentation for BidBeasts Marketplace is incomplete or inaccurate, potentially leading to misconfigurations or security misunderstandings.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.