Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Highest bidder bypass allows unfair buy now exploitation

anchabadze

Description:

The smart contract contains a logic flaw in the placeBid() function where the "Already highest bidder" validation check is positioned after the Buy Now execution logic. This allows the current highest bidder to bypass the intended restriction and purchase the NFT at the fixed Buy Now price, even though they should be prevented from placing additional bids. The vulnerability stems from the premature return statement in the Buy Now logic that prevents the validation check from ever executing for Buy Now purchases.

Attack path:

User places an initial bid (e.g., 1 ETH) to become the highest bidder
User calls placeBid() again with msg.value >= buyNowPrice (e.g., 2 ETH)
The Buy Now logic executes first, bypassing the require(msg.sender != previousBidder) check
Function returns early from Buy Now logic, never reaching the validation
User successfully purchases the NFT at Buy Now price despite being the current highest bidder

Impact:

Undermines auction integrity by allowing bypass of fundamental bidding rules

Recommended Mitigation:

Move the "Already highest bidder" validation check before the Buy Now logic execution:

function placeBid(uint256 tokenId) external payable isListed(tokenId) {

Listing storage listing = listings[tokenId];

address previousBidder = bids[tokenId].bidder;

uint256 previousBidAmount = bids[tokenId].amount;

require(listing.seller != msg.sender, "Seller cannot bid");

require(msg.sender != previousBidder, "Already highest bidder"); // ✅ Check BEFORE Buy Now

require(listing.auctionEnd == 0 || block.timestamp < listing.auctionEnd, "Auction ended");

// Buy Now logic

if (listing.buyNowPrice > 0 && msg.value >= listing.buyNowPrice) {

// ... existing Buy Now implementation

}

// Regular bidding logic

// ... rest of function

}

Updates

Lead Judging Commences

cryptoghost Lead Judge 27 days ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.