Deadline in contest details is not enforced in `BidBeastsNFTMarket` contract - users bidding under wrong assumptions
Root + Impact
Description
-
After 3 days the auction ends and anyone can call
endAuctionfunction. -
There is no deadline enforced in
BidBeastsNFTMarketcontract (only an extension of 15 min after every bid) and there is no function calledendAuction.
-
Contest details
-
Auction Completion:
After 3 days, anyone can call
endAuction(tokenId)to finalize the auction.
-
The contract also supports:
Auction deadline of exactly 3 days.
-
Risk
Likelihood:
-
The mismatch exists unconditionally - every auction created is affected.
Impact:
-
All users are mislead by contest details vs. on-chain reality.
-
Users will assume the auction ends after 3 days, but in reality the auction ends 15 minutes after last bid.
Proof of Concept
Recommended Mitigation
Change the contest details to say that for every bid that is between minimum price and buy now price the auction duration extends 15 minutes. Then 15 minutes after last bid anyone can call settleAuction.
Lead Judging Commences
BidBeasts Marketplace: Improper Documentation
Documentation for BidBeasts Marketplace is incomplete or inaccurate, potentially leading to misconfigurations or security misunderstandings.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.