Submission Details
Impact:
Likelihood:
Buy Now Logic Bypasses Bid Validation
Root + Impact
Description
The buy now functionality doesn't validate that the purchase price is higher than existing bids or covers marketplace fees properly.
if (listing.buyNowPrice > 0 && msg.value >= listing.buyNowPrice) {
uint256 salePrice = listing.buyNowPrice;
// No check if buyNowPrice > currentHighestBid
// No validation that price covers fees
bids[tokenId] = Bid(msg.sender, salePrice);
// ... execute sale
}
Risk
Likelihood:
Users can bypass higher existing bids by using buy now at a lower price
The buy now price might not cover the marketplace fee, causing accounting issues
This occurs whenever the buy now price is set below the current bid + increment
Impact:
Economic loss for legitimate bidders who bid higher than the buy now price
Marketplace loses expected fees
Unfair auction mechanics
Proof of Concept
function testBuyNowBypassesHigherBid() public {
// List NFT with buy now price of 1 ETH
vm.prank(alice);
marketplace.listNFT(tokenId, 0.5 ether, 1 ether);
// Bob bids 1.5 ETH
vm.prank(bob);
marketplace.placeBid{value: 1.5 ether}(tokenId);
// Charlie can still buy for 1 ETH, bypassing Bob's higher bid
vm.prank(charlie);
marketplace.placeBid{value: 1 ether}(tokenId);
// Charlie gets the NFT despite Bob's higher bid
assertEq(nft.ownerOf(tokenId), charlie);
}
Recommended Mitigation
if (listing.buyNowPrice > 0 && msg.value >= listing.buyNowPrice) {
+ require(msg.value >= previousBidAmount + ((previousBidAmount * S_MIN_BID_INCREMENT_PERCENTAGE) / 100),
+ "Buy now must exceed current bid");
uint256 salePrice = listing.buyNowPrice;
// ... rest of logic
}
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.