Reliance on `block.timestamp` in `settleAuction` Enables Premature Auction Settlement
Description
The contract uses the global variable block.timestamp to determine when an auction has ended inside settleAuction:
Since miners can influence block.timestamp within a small range (commonly up to ~900 seconds, depending on network rules), this creates a manipulation vector:
-
A miner or colluding entity could advance the timestamp to meet the listing.
auctionEndrequirement, allowing premature auction settlement. -
While the impact window is small, it undermines fairness for bidders expecting the auction to run until the exact advertised end time.
Risk and Impact
-
Risk: Low – requires miner collusion or block production control.
-
Impact: High – an attacker can end auctions slightly earlier than intended, depriving bidders of their fair chance to submit last-minute bids.
Severity: Medium – exploitation requires specific conditions (miner influence) but creates significant fairness issues.
PoC
Auction is scheduled to end at T = 1000.
At T = 995, a malicious miner includes a block with block.timestamp = 1000.
The auction contract interprets the auction as finished.
The miner (or colluding attacker) immediately calls settleAuction(tokenId) and finalizes the sale.
Other bidders expecting the auction to run for 5 more seconds lose their opportunity to participate.
Recommended Mitigation
Integrate a decentralized time oracle or automation service (e.g., Chainlink Keepers) to provide reliable and tamper-resistant auction finality.
Appeal created
BidBeasts Marketplace: Improper Documentation
Documentation for BidBeasts Marketplace is incomplete or inaccurate, potentially leading to misconfigurations or security misunderstandings.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.