Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Mismatch Between README and Contract Auction Logic

codeaudit0x1

Root + Impact

Description

  • The README states that auctions run for a fixed duration of 3 days, and end with an endAuction() call. In contrast, the actual contract logic implements a rolling 15-minute extension auction (S_AUCTION_EXTENSION_DURATION) and finalization is performed via settleAuction().

  • This inconsistency creates confusion for auditors, testers, and participants since they may interact with the system based on incorrect documentation. Misaligned expectations could lead to disputes over auction results or missed settlement windows.

// README: Claims 3-day auction duration with `endAuction()`
//
// Contract code:
uint256 constant public S_AUCTION_EXTENSION_DURATION = 15 minutes;
...
function settleAuction(uint256 tokenId) external isListed(tokenId) {
require(listings[tokenId].auctionEnd > 0, "Auction has not started (no bids)");
require(block.timestamp >= listings[tokenId].auctionEnd, "Auction has not ended");
_executeSale(tokenId);
}
@> settleAuction() is the actual function
@> Auction duration is 15 minutes, extendable

Risk

Likelihood:

  • Developers and auditors rely on the README for contest scope and assumptions.

  • Users will expect auctions to last exactly 3 days, but the contract ends them dynamically with extensions.

Impact:

  • Auditors may miss important bugs because they review against incorrect assumptions.

  • Users may lose opportunities or funds if they rely on incorrect auction timing (e.g., bidding too late).

Proof of Concept

A Proof of Concept demonstrates how the documented specification (README) diverges from the actual implementation (contract). In this case, the README states that auctions last a fixed 3-day duration and must be ended via endAuction(tokenId). However, a PoC review of the contract shows that auctions are governed by a 15-minute rolling extension and finalized via settleAuction(tokenId).

By comparing the stated flow in the README with the actual Solidity logic (S_AUCTION_EXTENSION_DURATION = 15 minutes), auditors and users can clearly see the mismatch. This theoretical PoC doesn’t require transaction execution—it relies on source code vs documentation analysis to highlight the root cause of misunderstanding.

// Expected behavior from README:
- Auction lasts 3 days
- Auction ends with endAuction(tokenId)
// Actual behavior in contract:
+ Auction duration = 15 minutes per bid (rolling)
+ Ends with settleAuction(tokenId)
+ Buy Now option exists (not in README)

Recommended Mitigation

Update the README to match contract logic (15-minute extensions, settleAuction(), Buy Now feature) Or change the contract to match the README.

- After 3 days, anyone can call `endAuction(tokenId)` to finalize the auction.
- Auction deadline is fixed at exactly 3 days.
+ Auction begins once the first bid is placed and lasts 15 minutes.
+ Each new valid bid can extend the auction deadline by another 15 minutes.
+ Auctions are finalized by calling `settleAuction(tokenId)`.
+ A Buy Now option allows immediate purchase if the sent value >= buyNowPrice.
Updates

Lead Judging Commences

cryptoghost Lead Judge 28 days ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts Marketplace: Improper Documentation

Documentation for BidBeasts Marketplace is incomplete or inaccurate, potentially leading to misconfigurations or security misunderstandings.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.