Incorrect bid increment calculation due to precision loss
Root + Impact
Description
In the placeBid() function, the required next bid amount is calculated as:
This performs division before multiplication, causing precision loss because Solidity uses integer division (truncation).
As a result, the computed requiredAmount can be lower than intended, allowing bidders to place bids that don’t meet the actual minimum increment requirement.
Risk
Bidders may bypass the intended increment rule and underbid.
Auction integrity is broken since bids smaller than the true X% increment can be accepted.
Sellers lose potential revenue due to invalid lower bids being allowed.
Impact:
Bidders may bypass the intended increment rule and underbid.
Auction integrity is broken since bids smaller than the true X% increment can be accepted.
Sellers lose potential revenue due to invalid lower bids being allowed.
Proof of Concept
previousBidAmount = 101
Vulnerable formula: (101 / 100) * 105 = 105.
Correct formula: (101 * 105) / 100 = 106.
A malicious bidder can submit 105 (instead of 106), bypassing the increment rule.
Recommended Mitigation
Always multiply before dividing to avoid precision truncation.
This ensures proper calculation of the minimum next bid without rounding errors.
Lead Judging Commences
BidBeasts Marketplace: Integer Division Precision Loss
Integer division in requiredAmount truncates fractions, allowing bids slightly lower than intended.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.