Bid Beasts

Description:

The first bid validation logic in the placeBid() function incorrectly requires the bid amount to be strictly greater than the minimum price (msg.value > requiredAmount) instead of greater than or equal to (msg.value >= requiredAmount). This violates the fundamental concept of a "minimum price" which should represent the lowest acceptable price that the seller is willing to accept. The current implementation prevents buyers from placing bids exactly at the minimum price, effectively making the minimum price unattainable and forcing buyers to bid higher than the seller's stated minimum acceptable price.

That’s even more illogical, because when setting buyNowPrice the condition is require(_minPrice <= _buyNowPrice), meaning you can set buyNowPrice equal to minPrice and use that price as buyNowPrice and users can buy NFT for that price, but with the current check users can’t buy NFT for minPrice.

Attack path:

1. Seller lists an NFT with a minimum price of exactly 1.0 ETH, expecting to accept bids at this price level

2. A legitimate buyer attempts to place the first bid of exactly 1.0 ETH (meeting the seller's minimum requirement)

3. The validation logic require(msg.value > requiredAmount, "First bid must be > min price") rejects this valid bid

4. This creates an artificial price floor above the seller's intended minimum

5. Sellers cannot receive bids at their stated minimum price, potentially losing sales to buyers who offer exactly the minimum

6. The marketplace fails to honor the seller's pricing expectations and buyer's willingness to pay the stated minimum

Impact:

The "minimum price" concept is fundamentally broken as it becomes unattainable

Valid buyers offering the minimum price are incorrectly rejected

Sellers cannot receive their stated minimum price

Recommended Mitigation:

Change the first bid validation to accept bids that are greater than or equal to the minimum price: