Missing Auction Finalization Function Causes Documentation Inconsistency
Description
The documentation states that:
"After 3 days, anyone can call endAuction(tokenId) to finalize the auction."
However, the implementation finalize through settleAuction, which can only be called when listing.auctionEnd is reached.
This mismatch between the documented intent and actual code behavior creates confusion for users and developers who expect an explicit finalization mechanism after a fixed time period (e.g., 3 days).
Risk and Impact
-
Risk: Low – not a direct exploitable vulnerability.
-
Impact: Medium – functional discrepancy.
Severity: Low (documentation/UX flaw, but can lead to operational inefficiency).
PoC
-
Documentation promises a callable
endAuction(tokenId)after 3 days. -
Auctions only finalize when
settleAuctionis called, creating a mismatch between expected and actual behavior.
Recommended Mitigation
-
Implement an explicit finalization function (e.g., settleAuction(tokenId)) callable by anyone after a fixed period.
-
Ensure documentation and code remain aligned
Lead Judging Commences
BidBeasts Marketplace: Improper Documentation
Documentation for BidBeasts Marketplace is incomplete or inaccurate, potentially leading to misconfigurations or security misunderstandings.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.