Submission Details
Severity:
First bid can't equal minimum price
Greater than sign without equal leads to refusing minimum price
Description
The `BidBeastsNFTMarket::placeBid` function incorrectly requires the first bid to be strictly greater than the minimum price `(msg.value > requiredAmount)` instead of allowing it to equal the minimum price. This prevents users from bidding exactly at the minimum price, which should be a valid bid according to auction logic.
if (previousBidAmount == 0) {
requiredAmount = listing.minPrice;
//@audit it should be bigger than or equal
@> require(msg.value > requiredAmount, "First bid must be > min price");
listing.auctionEnd = block.timestamp + S_AUCTION_EXTENSION_DURATION;
emit AuctionExtended(tokenId, listing.auctionEnd);
}
Risk
Likelihood:
When exactly minimum amount is used to bid
Proof of Concept
function test_placeMinimumPrice() public {
_mintNFT();
_listNFT();
vm.prank(BIDDER_1);
//this will revert but it shouldn't
market.placeBid{value: MIN_PRICE}(TOKEN_ID);
BidBeastsNFTMarket.Bid memory highestBid = market.getHighestBid(TOKEN_ID);
assertEq(highestBid.bidder, BIDDER_1);
}
Recommended Mitigation
adding the equal sign will solve the issue
requiredAmount = listing.minPrice;
- require(msg.value > requiredAmount, "First bid must be > min price");
+ require(msg.value >= requiredAmount, "First bid must be >= min price");
Updates
Lead Judging Commences
cryptoghost about 1 month ago
Submission Judgement Published Assigned finding tags:
BidBeasts Marketplace: First Bid > Instead of >=
First bid validation uses > instead of >=, preventing valid starting bids.
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.