Root + Impact

• Root Cause: The placeBid function calculates the required bid increment using the formula requiredAmount = (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE), performing division before multiplication. In Solidity, integer division truncates decimal results, causing requiredAmount to be lower than intended. This misordering violates the auction’s logic, which aims to enforce a minimum increment (e.g., 5%) over the previous bid.

• Impact: This vulnerability allows attackers to place bids slightly below the intended increment, leading to under-bids being accepted. This reduces seller revenue, accumulates discrepancies over multiple bids, and results in unfair auction outcomes, undermining the marketplace’s financial integrity and user trust.

Description:

The placeBid function in the BidBeastsNFTMarket contract calculates the required bid increment for subsequent bids using the following formula:

This calculation performs division before multiplication, which introduces integer division truncation in Solidity. Since Solidity truncates decimal results during integer division, the requiredAmount is lower than intended, allowing bids that fall below the expected minimum increment. This violates the auction's intended logic, which requires each bid to exceed the previous bid by at least S_MIN_BID_INCREMENT_PERCENTAGE (e.g., 5%).

Risk

• Likelihood: High. The issue occurs in every bid calculation where previousBidAmount is not perfectly divisible by 100, a common scenario in auctions with varying bid amounts. Automated bidding scripts can exploit this consistently, especially in competitive auctions.

• Impact: Medium. While not causing direct asset theft, the acceptance of under-bids reduces seller revenue and fairness, with cumulative effects over multiple bids potentially leading to significant financial discrepancies and user dissatisfaction.

Proof of Concept:

• This test demonstrates an incorrect bid increment calculation in BidBeastsNFTMarket::placeBid.

• Because division is performed before multiplication, integer truncation lowers the requiredAmount.

• As a result, bids that are slightly below the intended increment are incorrectly accepted.

1. Add the following to foundry.toml to configure fuzz testing:

1. Add the following to the BidBeastsNFTMarketTest.t.sol test and run:

• The following fuzz test shows the incorrect calculation compared to the correct one:

Explanation

• Setup: The test fuzzes previousBid within a realistic range (0.01 to 100 ether) and uses a 5% increment.

• Issue: The incorrect formula (previousBid / 100) * 105 truncates the result, while the correct formula (previousBid * 105) / 100 preserves the intended increment.

• Result: The fuzzer identifies cases (e.g., 0.41848342096872603910 ether) where the wrong calculation (41848342096872603810) is less than the correct one (41848342096872603910), confirming the underestimation.

Recommended Mitigation:

• Correct the calculation by reordering the operations to multiply before dividing, ensuring accuracy and preventing unintended truncation from integer division:

• Add fuzz tests to confirm requiredAmount is always calculated correctly.

• For higher precision and long-term safety, consider adopting Math.mulDiv
  (from OpenZeppelin) or an equivalent custom implementation. This ensures precise percentage-based calculations without intermediate rounding errors and improves code readability.