Root + Impact

• Root Cause: The README claims auctions end after 3 days (259,200 seconds), suggesting a fixed duration from listing or the first bid. However, the placeBid function initializes auctionEnd to 15 minutes (S_AUCTION_EXTENSION_DURATION) upon the first bid and extends it by 15 minutes for late bids, with no enforcement of a 3-day duration. This discrepancy arises from the codebase’s extensible timer model not aligning with the documented fixed duration.

• Impact: This mismatch confuses users expecting a 3-day window, leading to missed bidding opportunities, premature auction endings, and potential financial losses for sellers due to lower final prices. It undermines trust in the platform, risks reputational damage, and may deter participation, especially compared to platforms with longer, predictable auction periods.

Description:

The README documentation states that auctions will end after 3 days, implying a fixed or initial duration of 72 hours (259,200 seconds) from the start of the auction or listing. However, the codebase does not implement this behavior. Instead, the auction timer (auctionEnd) is initialized to 0 upon listing and only starts upon the first bid, setting a duration of just 15 minutes (S_AUCTION_EXTENSION_DURATION). Subsequent bids may extend the auction by another 15 minutes if placed near the end, but there is no enforcement of a 3-day duration. This discrepancy can lead to auctions ending prematurely compared to user expectations.

Risk

• Likelihood: Medium. The issue affects all auctions where the first bid occurs, and users rely on the README’s 3-day claim. The likelihood increases with new users unfamiliar with the actual behavior or in low-activity auctions where extensions are unlikely.

• Impact: Medium. Premature endings may result in lower bids and financial loss for sellers, while inconsistent documentation erodes trust. The impact is significant in a competitive marketplace where clear expectations are critical, though it does not involve direct asset theft.

Proof of Concept:

• This test demonstrates the mismatch between the README's claimed 3-day auction duration and the actual codebase implementation.

• Upon the first bid, the auction end time is set to only 15 minutes after the bid timestamp, not 3 days.

• If no further bids occur, the auction ends after 15 minutes, violating the documented behavior.

• This test logs the auction end time and asserts it matches 15 minutes (failing if expecting 3 days).

Add the following to the BidBeastsNFTMarketTest.t.sol test file.

Explanation

• Setup: An NFT is listed with a minPrice and no buyNowPrice, and a first bid is placed at timestamp 1000.

• Issue: The auctionEnd is set to 1000 + 900 (15 minutes), not 1000 + 259200 (3 days) as implied by the README.

• Result: The test passes, confirming the auction ends after 15 minutes, highlighting the documentation-codebase mismatch.

Recommended Mitigation:

Update the codebase to align with the README by introducing a fixed initial auction duration of 3 days upon the first bid or listing. Alternatively, if the 15-minute extensible model is intended, revise the README to accurately reflect this behavior.

For example, to implement a 3-day initial duration:

• Additionally, consider adding a maximum auction cap (e.g., 7 days total) to prevent infinite extensions from repeated last-minute bids.

• Ensure all documentation (README, comments, etc.) is synchronized with the code to maintain consistency and user trust.