Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

[M-1]Incorrect Bid Increment Calculation

chargingfoxsec

[M-1]Incorrect Bid Increment Calculation

Description

The placeBid function calculates the minimum required bid amount based on the previous bid and an increment percentage
The calculation (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE) suffers from precision loss due to integer division, resulting in lower required bid amounts than intended

function placeBid(uint256 tokenId) external payable isListed(tokenId) {

// ...existing code...

@> requiredAmount = (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE);

require(msg.value >= requiredAmount, "Bid not high enough");

// ...existing code...

}

Risk

Likelihood: HIGH

Occurs on every bid calculation where previousBidAmount is not a multiple of 100
Integer division always rounds down in Solidity

Impact: MEDIUM

Required bid increments will be lower than the intended 5%
For a bid of 123 wei, next required bid would be 105 wei instead of 129 wei

Proof of Concept

contract BidTest {

function testIncorrectBidCalculation() public pure {

uint256 previousBid = 123;

// Current calculation

uint256 incorrect = (previousBid / 100) * 105; // = 105

// Correct calculation

uint256 correct = (previousBid * 105) / 100; // = 129

assert(incorrect < correct); // Will pass, showing the issue

}

Recommended Mitigation

function placeBid(uint256 tokenId) external payable isListed(tokenId) {

// ...existing code...

- requiredAmount = (previousBidAmount / 100) * (100 + S_MIN_BID_INCREMENT_PERCENTAGE);

+ requiredAmount = (previousBidAmount * (100 + S_MIN_BID_INCREMENT_PERCENTAGE)) / 100;

require(msg.value >= requiredAmount, "Bid not high enough");

// ...existing code...

}

Change the order of operations to perform multiplication before division to avoid precision loss in the bid increment calculation.

Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: Integer Division Precision Loss

Integer division in requiredAmount truncates fractions, allowing bids slightly lower than intended.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.