Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Auction deadline of 3 days is not implemented anywhere in the contract and bidder 1 can bid with listing.minPrice and just after 15 mins take away the nft , and only 15 minutes for other bidders to bid (not fair at all).

tanejarohan6

Description

The contract README clearly states that auctions will last for 3 days. However, the BidBeastMarketPlace contract does not implement a 3-day limit anywhere.

When an NFT is first listed, auctionEnd is set to zero, which is acceptable. However, when the first bid is placed, the NFT listing should update the auctionEnd date to block.timestamp + 3 days.

On the first bid, this should be set, and then on every successful bid, the contract should compare the current time with the auctionEnd time. If block.timestamp < auctionEnd, the person can bid; otherwise, it should revert with "auction ended".

Instead, the current code just increases the auction end time by S_AUCTION_EXTENSION_DURATION which is only 15 minutes, making no sense in the context of a 3-day auction period.

Impact or Risk

The first bidder can place a bid equal to the minPrice, and the protocol sets the auction end time to listing.auctionEnd + S_AUCTION_EXTENSION_DURATION (only +15 minutes, not 3 days).

After just 15 minutes, this user can call the settleAuction function. Since the auction has ended (after only 15 minutes), all conditions will be met and they will get the NFT at the minimum price.

There would be no competition. If other users want to bid, they cannot because the auction duration was only 15 minutes and not 3 days.

Proof of Concept

This is where the contract sets listing.auctionEnd = listing.auctionEnd + S_AUCTION_EXTENSION_DURATION when the first bid is done.

The test below demonstrates that user1 can bid on the NFT, but if after only 1 day another bidder tries to bid, they won't be able to because the auction has ended in 15 minutes only, not 3 days:

function test_3days_limit() public {
vm.startPrank(OWNER);
nft.mint(SELLER);
uint256 seller_nft_id = nft.CurrenTokenID()-1;
vm.stopPrank();
vm.startPrank(SELLER);
nft.approve(address(market), seller_nft_id);
market.listNFT(seller_nft_id, MIN_PRICE, BUY_NOW_PRICE);
vm.stopPrank();
vm.prank(BIDDER_1);
market.placeBid{value: MIN_PRICE}(seller_nft_id);
vm.warp(block.timestamp + 1 days);
vm.prank(BIDDER_2);
vm.expectRevert('Auction ended');
market.placeBid{value: 2 ether}(seller_nft_id);
}

Mitigation

Create an immutable variable with value = 3 days:

uint256 immutable public I_AUCTION_DURATION = 3 days;

On the first bid only, set

listing.auctionEnd = block.timestamp + I_AUCTION_DURATION;

On subsequent bids, simply check:

require(block.timestamp < listing.auctionEnd, "Auction ended");

Remove the current logic that increases the auctionEnd by 15 minutes on every bid:

require(block.timestamp < listing.auctionEnd, "Auction ended");
```// Remove this:
if (listing.auctionEnd > block.timestamp) {
timeLeft = listing.auctionEnd - block.timestamp;
}
This ensures the auction runs for the documented 3-day period from the first bid, allowing proper competition among bidders.
Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts Marketplace: Improper Documentation

Documentation for BidBeasts Marketplace is incomplete or inaccurate, potentially leading to misconfigurations or security misunderstandings.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.