Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

L02. Minimum bid - Possible confusion between the code and the intended behavior

accessdenied

Root + Impact

Description

Normal behavior: The marketplace is intended to allow the first bid to meet or exceed the listing’s minimum price (minPrice) so that the auction can start correctly and match user expectations.
Issue: The contract currently enforces:

if (previousBidAmount == 0) {

requiredAmount = listing.minPrice;

require(msg.value > requiredAmount, "First bid must be > min price");

}

This requires the first bid to be strictly greater than minPrice, not equal.
Tests or users may assume that bidding exactly at minPrice is allowed, creating possible confusion between the code and the intended behavior.

// Root cause in the codebase with @> marks to highlight the relevant section

if (previousBidAmount == 0) {

requiredAmount = listing.minPrice;

@> require(msg.value > requiredAmount, "First bid must be > min price");

}

Risk

Likelihood:

Occurs whenever a bidder attempts to place a first bid equal to minPrice.
Happens because the contract logic is stricter than what users or tests may expect.

Impact:

The first bid is rejected unexpectedly, potentially confusing users.
Tests that assume equality (== minPrice) will fail, creating discrepancies between test expectations and contract behavior.

Proof of Concept

The following available test revert First bid must be > min price

function test_placeFirstBid() public {

_mintNFT();

_listNFT();

vm.prank(BIDDER_1);

market.placeBid{value: MIN_PRICE}(TOKEN_ID);

BidBeastsNFTMarket.Bid memory highestBid = market.getHighestBid(TOKEN_ID);

assertEq(highestBid.bidder, BIDDER_1);

assertEq(highestBid.amount, MIN_PRICE);

assertEq(market.getListing(TOKEN_ID).auctionEnd, block.timestamp + market.S_AUCTION_EXTENSION_DURATION());

}

Demonstrates that the current contract rejects bids equal to minPrice, highlighting the mismatch with expected behavior.

Recommended Mitigation

Aligns the contract or the test with the intended behavior.

Updates

Lead Judging Commences

cryptoghost Lead Judge 24 days ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: First Bid > Instead of >=

First bid validation uses > instead of >=, preventing valid starting bids.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.