Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Seller Early Exit Violates Time-Bounded Auction Principle As Mentioned in Docs

iamkashifyousuf

Description

Normal Behavior The official documentation clearly states auctions last for 3 days, creating a predictable, time-bound competitive environment for all participants. Bidders should have the full advertised duration to compete and strategize their bids.

Issue The `takeHighestBid()` function allows sellers to terminate auctions prematurely, fundamentally breaking the time-bound nature of the auction system.

@> function takeHighestBid(uint256 tokenId) external isListed(tokenId) isSeller(tokenId, msg.sender) {

@> Bid storage bid = bids[tokenId];

@> require(bid.amount >= listings[tokenId].minPrice, "Highest bid is below min price");

@> _executeSale(tokenId);

@> }

Risk

Likelihood:

Sellers will frequently use this to lock in profits when they see a "good enough" bid
Sellers will frequently use this to avoid waiting 3 days for funds

Impact:

Breaks Time-Bound Promise: The 3-day duration becomes meaningless when sellers can end auctions at will.
Unpredicatable Auction Time: The current code implementation extends the duration of auction which can make auction ending time unpredicatable.

Recommended Mitigation

The code changes enforce a strict 3-day auction duration as documented, eliminating the previous rolling extension mechanism that created unpredictable auction end times.

- uint256 constant public S_AUCTION_EXTENSION_DURATION = 15 minutes;

+ uint256 constant public immutable I_AUCTION_DURATION = 3 days;

function listNFT(uint256 tokenId, uint256 _minPrice, uint256 _buyNowPrice) external {

require(BBERC721.ownerOf(tokenId) == msg.sender, "Not the owner");

require(_minPrice >= S_MIN_NFT_PRICE, "Min price too low");

if (_buyNowPrice > 0) {

require(_minPrice <= _buyNowPrice, "Min price cannot exceed buy now price");

}

BBERC721.transferFrom(msg.sender, address(this), tokenId);

listings[tokenId] = Listing({

seller: msg.sender,

minPrice: _minPrice,

buyNowPrice: _buyNowPrice,

- auctionEnd: 0, // Timer starts only after the first valid bid.

+ auctionEnd: block.timestamp + 3 days,

listed: true

});

emit NftListed(tokenId, msg.sender, _minPrice, _buyNowPrice);

}

function placeBid(uint256 tokenId) external payable isListed(tokenId) {

Listing storage listing = listings[tokenId];

address previousBidder = bids[tokenId].bidder;

uint256 previousBidAmount = bids[tokenId].amount;

require(listing.seller != msg.sender, "Seller cannot bid");

// auctionEnd == 0 => no bids yet => allowed

// auctionEnd > 0 and block.timestamp >= auctionEnd => auction ended => block

- require(listing.auctionEnd == 0 || block.timestamp < listing.auctionEnd, "Auction ended");

+ require(block.timestamp < listing.auctionEnd, "Auction ended");

// --- Buy Now Logic ---

if (listing.buyNowPrice > 0 && msg.value >= listing.buyNowPrice) {

uint256 salePrice = listing.buyNowPrice;

uint256 overpay = msg.value - salePrice;

// EFFECT: set winner bid to exact sale price (keep consistent)

bids[tokenId] = Bid(msg.sender, salePrice);

listing.listed = false;

if (previousBidder != address(0)) {

_payout(previousBidder, previousBidAmount);

}

// NOTE: using internal finalize to do transfer/payouts. _executeSale will assume bids[tokenId] is the final winner.

_executeSale(tokenId);

// Refund overpay (if any) to buyer

if (overpay > 0) {

_payout(msg.sender, overpay);

}

return;

}

require(msg.sender != previousBidder, "Already highest bidder");

emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value);

// --- Regular Bidding Logic ---

uint256 requiredAmount;

if (previousBidAmount == 0) {

requiredAmount = listing.minPrice;

require(msg.value > requiredAmount, "First bid must be > min price");

- listing.auctionEnd = block.timestamp + S_AUCTION_EXTENSION_DURATION;

- emit AuctionExtended(tokenId, listing.auctionEnd);

} else {

requiredAmount = (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE);

require(msg.value >= requiredAmount, "Bid not high enough");

- uint256 timeLeft = 0;

- if (listing.auctionEnd > block.timestamp) {

- timeLeft = listing.auctionEnd - block.timestamp;

- }

- if (timeLeft < S_AUCTION_EXTENSION_DURATION) {

- listing.auctionEnd = listing.auctionEnd + S_AUCTION_EXTENSION_DURATION;

- emit AuctionExtended(tokenId, listing.auctionEnd);

- }

}

// EFFECT: update highest bid

bids[tokenId] = Bid(msg.sender, msg.value);

if (previousBidder != address(0)) {

_payout(previousBidder, previousBidAmount);

}

emit BidPlaced(tokenId, msg.sender, msg.value);

}

function settleAuction(uint256 tokenId) external isListed(tokenId) {

Listing storage listing = listings[tokenId];

- require(listing.auctionEnd > 0, "Auction has not started (no bids)");

require(block.timestamp >= listing.auctionEnd, "Auction has not ended");

require(bids[tokenId].amount >= listing.minPrice, "Highest bid did not meet min price");

_executeSale(tokenId);

}

Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: Improper Documentation

Documentation for BidBeasts Marketplace is incomplete or inaccurate, potentially leading to misconfigurations or security misunderstandings.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.